diff --git a/obligations/cra_authentication.json b/obligations/cra_authentication.json
new file mode 100644
index 00000000..3e16527d
--- /dev/null
+++ b/obligations/cra_authentication.json
@@ -0,0 +1,10458 @@
+{
+ "schema_version": "obligation_registry_v1",
+ "regulation": "CRA",
+ "regulation_code": "eu_2024_2847",
+ "family": "authentication",
+ "generated_by": "obl_auth_synth/claude-opus-4-8",
+ "synthesis_version": "v1",
+ "citation_status": "pending_span_anchor",
+ "obligations": [
+  {
+   "id": "user_authentication_required",
+   "name": "Benutzerauthentifizierung vor Zugriff",
+   "description": "Produkte mit digitalen Elementen muessen Nutzer und Entitaeten vor Gewaehrung von Zugriff auf Funktionen, Daten oder geschuetzte Ressourcen authentisieren.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(d)",
+     "citation": "protect... by ensuring protection from unauthorised access, including by reporting... appropriate control mechanisms incl. authentication, identity or access management"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "AC-14",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M3",
+    "M5",
+    "M9",
+    "M21",
+    "M36",
+    "M113",
+    "M118",
+    "M155",
+    "M160"
+   ],
+   "member_controls": [
+    "ACC-0383-A06",
+    "ACC-0384-A02",
+    "ACC-0384-A03",
+    "ACC-067-A06",
+    "ACC-067-A17",
+    "ACC-082-A06",
+    "ACC-082-A07",
+    "ACC-082-A15",
+    "ACC-082-A16",
+    "ACC-111-A05",
+    "ACC-111-A10",
+    "ACC-320",
+    "ACC-320-A01",
+    "ACC-320-A02",
+    "ACC-320-A03",
+    "ACC-320-A04",
+    "ACC-320-A06",
+    "ACC-320-A09",
+    "ACC-320-A10",
+    "ACC-320-A11",
+    "ACC-320-A12",
+    "ACC-320-A13",
+    "ACC-320-A17",
+    "ACC-320-A19",
+    "ACC-320-A20",
+    "ACC-320-A21",
+    "ACC-320-A26",
+    "ACC-320-A28",
+    "ACC-320-A29",
+    "ACC-320-A35",
+    "ACC-320-A36",
+    "ACC-320-A37",
+    "ACC-320-A38",
+    "ACC-320-A41",
+    "ACC-320-A42",
+    "ACC-320-A43",
+    "ACC-320-A44",
+    "ACC-320-A45",
+    "ACC-327-A18",
+    "ACC-327-A60",
+    "ACC-427",
+    "ACC-427-A01",
+    "ACC-427-A02",
+    "ACC-427-A03",
+    "ACC-427-A11",
+    "ACC-427-A12",
+    "ACC-477-A03",
+    "ACC-478-A02",
+    "ACC-490",
+    "ACC-490-A02",
+    "ACC-490-A04",
+    "ACC-490-A09",
+    "ACC-499-A05",
+    "ACC-504-A09",
+    "ACC-508-A01",
+    "ACC-513",
+    "ACC-518-A06",
+    "ACC-559",
+    "ACC-567-A10",
+    "ACC-571-A05",
+    "ACC-578-A03",
+    "ACC-581-A04",
+    "ACC-586-A03",
+    "ACC-586-A04",
+    "ACC-588-A03",
+    "ACC-594-A10",
+    "ACC-607-A01",
+    "ACC-607-A04",
+    "ACC-630-A05",
+    "ACC-630-A12",
+    "ACC-635",
+    "ACC-635-A01",
+    "ACC-637",
+    "ACC-637-A01",
+    "ACC-641-A06",
+    "ACC-653",
+    "ACC-653-A01",
+    "ACC-657-A02",
+    "ACC-660-A06",
+    "ACC-673-A10",
+    "ACC-727-A03",
+    "ACC-741-A03",
+    "ACL-004",
+    "ACL-004-A03",
+    "ACL-004-A04",
+    "ACL-004-A06",
+    "AI-052-A26",
+    "AI-052-A27",
+    "AI-1012",
+    "AI-1012-A03",
+    "AI-1012-A04",
+    "AI-1012-A05",
+    "AI-1012-A07",
+    "AI-1027-A07",
+    "AI-1236-A04",
+    "AI-1263-A05",
+    "AI-1263-A10",
+    "AI-1392-A06",
+    "AI-1408-A01",
+    "AI-1417-A06",
+    "AI-1660-A12",
+    "AI-1715-A08",
+    "AI-814",
+    "AI-814-A02",
+    "AI-814-A06",
+    "AI-814-A07",
+    "AI-814-A11",
+    "AI-814-A12",
+    "AI-814-A16",
+    "AI-814-A17",
+    "AI-814-A21",
+    "AI-814-A22",
+    "AI-814-A26",
+    "AI-814-A27",
+    "AI-981-A04",
+    "AI-997-A01",
+    "API-001",
+    "ARC-007-A06",
+    "AUTH-018",
+    "AUTH-018-A18",
+    "AUTH-032",
+    "AUTH-043",
+    "AUTH-045",
+    "AUTH-067-A12",
+    "AUTH-098",
+    "AUTH-1001",
+    "AUTH-1002",
+    "AUTH-1003",
+    "AUTH-1003-A01",
+    "AUTH-1004-A01",
+    "AUTH-1008",
+    "AUTH-1009-A01",
+    "AUTH-1009-A03",
+    "AUTH-1011-A01",
+    "AUTH-1019",
+    "AUTH-1026",
+    "AUTH-1026-A01",
+    "AUTH-1048",
+    "AUTH-1048-A03",
+    "AUTH-1048-A04",
+    "AUTH-1048-A19",
+    "AUTH-1048-A68",
+    "AUTH-1048-A69",
+    "AUTH-1049",
+    "AUTH-1060",
+    "AUTH-1061",
+    "AUTH-1087-A01",
+    "AUTH-1087-A04",
+    "AUTH-1092",
+    "AUTH-1092-A04",
+    "AUTH-1099-A04",
+    "AUTH-1102-A08",
+    "AUTH-1110",
+    "AUTH-1110-A03",
+    "AUTH-120-A11",
+    "AUTH-1283",
+    "AUTH-1283-A01",
+    "AUTH-1283-A02",
+    "AUTH-1291",
+    "AUTH-1293",
+    "AUTH-1295-A01",
+    "AUTH-1296-A05",
+    "AUTH-1298-A02",
+    "AUTH-1303-A03",
+    "AUTH-1303-A04",
+    "AUTH-1310-A01",
+    "AUTH-1313-A01",
+    "AUTH-1313-A03",
+    "AUTH-1321-A05",
+    "AUTH-1426-A05",
+    "AUTH-1426-A06",
+    "AUTH-1437",
+    "AUTH-1437-A01",
+    "AUTH-1437-A04",
+    "AUTH-1437-A06",
+    "AUTH-1437-A07",
+    "AUTH-1441",
+    "AUTH-1443-A02",
+    "AUTH-1445-A04",
+    "AUTH-1446",
+    "AUTH-1446-A02",
+    "AUTH-1446-A04",
+    "AUTH-1455",
+    "AUTH-1455-A01",
+    "AUTH-1455-A07",
+    "AUTH-1463-A02",
+    "AUTH-1463-A07",
+    "AUTH-1463-A08",
+    "AUTH-1464-A04",
+    "AUTH-1464-A05",
+    "AUTH-1464-A07",
+    "AUTH-1466-A04",
+    "AUTH-1466-A08",
+    "AUTH-1468",
+    "AUTH-1468-A03",
+    "AUTH-1468-A04",
+    "AUTH-1468-A07",
+    "AUTH-1468-A08",
+    "AUTH-1472-A01",
+    "AUTH-1524",
+    "AUTH-1524-A01",
+    "AUTH-1524-A02",
+    "AUTH-1525-A03",
+    "AUTH-1529",
+    "AUTH-1529-A01",
+    "AUTH-1529-A06",
+    "AUTH-1535-A02",
+    "AUTH-1538-A01",
+    "AUTH-1538-A10",
+    "AUTH-1539-A03",
+    "AUTH-1576-A01",
+    "AUTH-1579-A01",
+    "AUTH-1583-A06",
+    "AUTH-1623-A04",
+    "AUTH-1623-A07",
+    "AUTH-1623-A08",
+    "AUTH-1624-A11",
+    "AUTH-1631",
+    "AUTH-1633-A01",
+    "AUTH-1634-A06",
+    "AUTH-1635-A06",
+    "AUTH-1635-A12",
+    "AUTH-1637-A03",
+    "AUTH-1637-A08",
+    "AUTH-1640-A03",
+    "AUTH-1640-A04",
+    "AUTH-1652-A07",
+    "AUTH-1654",
+    "AUTH-1654-A01",
+    "AUTH-1654-A02",
+    "AUTH-1654-A03",
+    "AUTH-1654-A05",
+    "AUTH-1655-A02",
+    "AUTH-1658-A05",
+    "AUTH-1666-A04",
+    "AUTH-1669-A04",
+    "AUTH-1669-A07",
+    "AUTH-1673-A08",
+    "AUTH-1675-A07",
+    "AUTH-1678-A02",
+    "AUTH-1691",
+    "AUTH-1691-A01",
+    "AUTH-1694-A06",
+    "AUTH-1695",
+    "AUTH-1696-A03",
+    "AUTH-1696-A04",
+    "AUTH-1700-A04",
+    "AUTH-1701-A09",
+    "AUTH-1702-A03",
+    "AUTH-1706-A03",
+    "AUTH-1706-A05",
+    "AUTH-1706-A06",
+    "AUTH-1706-A09",
+    "AUTH-1708",
+    "AUTH-1709-A05",
+    "AUTH-1711-A02",
+    "AUTH-1711-A04",
+    "AUTH-1711-A07",
+    "AUTH-1711-A10",
+    "AUTH-1713",
+    "AUTH-1716",
+    "AUTH-1721-A03",
+    "AUTH-1752-A10",
+    "AUTH-1753-A01",
+    "AUTH-1753-A02",
+    "AUTH-1753-A04",
+    "AUTH-1753-A07",
+    "AUTH-1790-A01",
+    "AUTH-1808-A07",
+    "AUTH-1809",
+    "AUTH-1809-A01",
+    "AUTH-1809-A02",
+    "AUTH-1809-A03",
+    "AUTH-1809-A04",
+    "AUTH-1809-A05",
+    "AUTH-1809-A06",
+    "AUTH-1810",
+    "AUTH-1810-A01",
+    "AUTH-1810-A06",
+    "AUTH-1811",
+    "AUTH-1812",
+    "AUTH-1812-A01",
+    "AUTH-1812-A02",
+    "AUTH-1814-A01",
+    "AUTH-1820-A04",
+    "AUTH-1820-A06",
+    "AUTH-1823",
+    "AUTH-1823-A01",
+    "AUTH-1823-A02",
+    "AUTH-1826-A10",
+    "AUTH-1827-A04",
+    "AUTH-1830-A02",
+    "AUTH-1830-A03",
+    "AUTH-1830-A06",
+    "AUTH-1830-A08",
+    "AUTH-1831-A05",
+    "AUTH-1833-A03",
+    "AUTH-1833-A05",
+    "AUTH-1833-A08",
+    "AUTH-1843-A08",
+    "AUTH-1859",
+    "AUTH-1859-A02",
+    "AUTH-1859-A03",
+    "AUTH-1862-A04",
+    "AUTH-1877",
+    "AUTH-1877-A01",
+    "AUTH-1877-A02",
+    "AUTH-1877-A06",
+    "AUTH-1877-A08",
+    "AUTH-1896-A01",
+    "AUTH-1901",
+    "AUTH-1901-A01",
+    "AUTH-1909",
+    "AUTH-1909-A01",
+    "AUTH-1909-A02",
+    "AUTH-1909-A05",
+    "AUTH-1909-A07",
+    "AUTH-1909-A08",
+    "AUTH-1910-A11",
+    "AUTH-1911-A01",
+    "AUTH-1911-A05",
+    "AUTH-1912-A04",
+    "AUTH-1915-A03",
+    "AUTH-1915-A08",
+    "AUTH-1916-A01",
+    "AUTH-1916-A05",
+    "AUTH-1917-A04",
+    "AUTH-1917-A08",
+    "AUTH-1933",
+    "AUTH-1935",
+    "AUTH-1936-A11",
+    "AUTH-1938",
+    "AUTH-1943",
+    "AUTH-1943-A02",
+    "AUTH-1943-A07",
+    "AUTH-1944",
+    "AUTH-1944-A01",
+    "AUTH-1945-A07",
+    "AUTH-1945-A09",
+    "AUTH-1946-A03",
+    "AUTH-1946-A04",
+    "AUTH-1952",
+    "AUTH-1952-A02",
+    "AUTH-1952-A03",
+    "AUTH-1952-A05",
+    "AUTH-1952-A06",
+    "AUTH-1952-A07",
+    "AUTH-1952-A08",
+    "AUTH-1959",
+    "AUTH-1959-A01",
+    "AUTH-1959-A02",
+    "AUTH-2280",
+    "AUTH-2280-A01",
+    "AUTH-2289",
+    "AUTH-2320",
+    "AUTH-2331-A08",
+    "AUTH-2333-A01",
+    "AUTH-2333-A02",
+    "AUTH-2338-A06",
+    "AUTH-2345-A03",
+    "AUTH-2345-A04",
+    "AUTH-2368-A03",
+    "AUTH-2368-A04",
+    "AUTH-2372-A01",
+    "AUTH-2375",
+    "AUTH-2382-A01",
+    "AUTH-2399",
+    "AUTH-2399-A01",
+    "AUTH-2399-A04",
+    "AUTH-2400-A03",
+    "AUTH-2403",
+    "AUTH-2403-A03",
+    "AUTH-2403-A06",
+    "AUTH-2405",
+    "AUTH-2405-A05",
+    "AUTH-2412-A02",
+    "AUTH-2412-A03",
+    "AUTH-2413-A04",
+    "AUTH-2416-A01",
+    "AUTH-2416-A03",
+    "AUTH-2417",
+    "AUTH-2417-A04",
+    "AUTH-2417-A11",
+    "AUTH-2417-A13",
+    "AUTH-2424-A01",
+    "AUTH-2428",
+    "AUTH-2441-A01",
+    "AUTH-2444-A01",
+    "AUTH-2444-A07",
+    "AUTH-2451-A04",
+    "AUTH-2464-A03",
+    "AUTH-2466-A10",
+    "AUTH-2483-A02",
+    "AUTH-2485-A07",
+    "AUTH-2510-A06",
+    "AUTH-2550-A02",
+    "AUTH-2550-A03",
+    "AUTH-2630",
+    "AUTH-2630-A02",
+    "AUTH-2635",
+    "AUTH-2635-A04",
+    "AUTH-2635-A05",
+    "AUTH-2635-A07",
+    "AUTH-2660-A01",
+    "AUTH-2678",
+    "AUTH-2678-A01",
+    "AUTH-2779",
+    "AUTH-2781-A03",
+    "AUTH-2801",
+    "AUTH-2801-A03",
+    "AUTH-2817",
+    "AUTH-2817-A03",
+    "AUTH-2817-A04",
+    "AUTH-2817-A05",
+    "AUTH-2847",
+    "AUTH-2851",
+    "AUTH-2852",
+    "AUTH-2852-A01",
+    "AUTH-2866",
+    "AUTH-2866-A01",
+    "AUTH-2866-A03",
+    "AUTH-2873-A01",
+    "AUTH-2873-A05",
+    "AUTH-2873-A07",
+    "AUTH-2875-A03",
+    "AUTH-2877-A01",
+    "AUTH-2877-A05",
+    "AUTH-2880-A01",
+    "AUTH-2883",
+    "AUTH-2883-A01",
+    "AUTH-2883-A02",
+    "AUTH-2912-A01",
+    "AUTH-2919",
+    "AUTH-2921-A12",
+    "AUTH-2922-A01",
+    "AUTH-2922-A02",
+    "AUTH-2929",
+    "AUTH-2930",
+    "AUTH-2935-A02",
+    "AUTH-2935-A06",
+    "AUTH-2939-A04",
+    "AUTH-2943",
+    "AUTH-2943-A02",
+    "AUTH-2944-A04",
+    "AUTH-2945-A03",
+    "AUTH-2946",
+    "AUTH-2949-A06",
+    "AUTH-2956-A14",
+    "AUTH-2958-A07",
+    "AUTH-2959-A03",
+    "AUTH-2960-A01",
+    "AUTH-2960-A06",
+    "AUTH-2960-A07",
+    "AUTH-2960-A08",
+    "AUTH-2964",
+    "AUTH-2966-A01",
+    "AUTH-2966-A04",
+    "AUTH-2967-A05",
+    "AUTH-2970-A03",
+    "AUTH-2970-A05",
+    "AUTH-2970-A08",
+    "AUTH-2975-A02",
+    "AUTH-2975-A12",
+    "AUTH-2977-A05",
+    "AUTH-2980",
+    "AUTH-2981-A08",
+    "AUTH-2984",
+    "AUTH-2987-A01",
+    "AUTH-2989-A01",
+    "AUTH-2989-A05",
+    "AUTH-2993-A03",
+    "AUTH-2994-A03",
+    "AUTH-2996-A01",
+    "AUTH-3002-A04",
+    "AUTH-3013-A01",
+    "AUTH-3013-A02",
+    "AUTH-3016-A15",
+    "AUTH-3016-A16",
+    "AUTH-3017-A03",
+    "AUTH-3021-A01",
+    "AUTH-3021-A04",
+    "AUTH-3022-A06",
+    "AUTH-3025",
+    "AUTH-3025-A01",
+    "AUTH-3038",
+    "AUTH-3038-A03",
+    "AUTH-3045",
+    "AUTH-3045-A01",
+    "AUTH-3045-A02",
+    "AUTH-3045-A03",
+    "AUTH-3065-A02",
+    "AUTH-3065-A03",
+    "AUTH-3065-A04",
+    "AUTH-3069",
+    "AUTH-3071-A01",
+    "AUTH-3071-A04",
+    "AUTH-3071-A09",
+    "AUTH-3073",
+    "AUTH-3073-A02",
+    "AUTH-3073-A03",
+    "AUTH-3073-A05",
+    "AUTH-3075-A01",
+    "AUTH-3075-A02",
+    "AUTH-3077",
+    "AUTH-3078",
+    "AUTH-3082",
+    "AUTH-3082-A01",
+    "AUTH-3108-A05",
+    "AUTH-3112-A14",
+    "AUTH-3150",
+    "AUTH-3150-A01",
+    "AUTH-3150-A04",
+    "AUTH-3150-A07",
+    "AUTH-3150-A09",
+    "AUTH-3151",
+    "AUTH-3151-A01",
+    "AUTH-3151-A05",
+    "AUTH-3151-A06",
+    "AUTH-3151-A07",
+    "AUTH-3151-A08",
+    "AUTH-3151-A10",
+    "AUTH-3151-A11",
+    "AUTH-3154",
+    "AUTH-3154-A01",
+    "AUTH-3154-A02",
+    "AUTH-3154-A08",
+    "AUTH-3155",
+    "AUTH-3155-A03",
+    "AUTH-3155-A04",
+    "AUTH-3155-A08",
+    "AUTH-3161-A04",
+    "AUTH-3164-A02",
+    "AUTH-3164-A05",
+    "AUTH-3164-A07",
+    "AUTH-3164-A12",
+    "AUTH-3166-A01",
+    "AUTH-3166-A02",
+    "AUTH-3170",
+    "AUTH-3170-A01",
+    "AUTH-3170-A02",
+    "AUTH-3230-A01",
+    "AUTH-3231-A04",
+    "AUTH-3246-A01",
+    "AUTH-3247-A04",
+    "AUTH-3258",
+    "AUTH-3258-A01",
+    "AUTH-3258-A04",
+    "AUTH-3258-A07",
+    "AUTH-3258-A10",
+    "AUTH-3258-A11",
+    "AUTH-3266",
+    "AUTH-3266-A01",
+    "AUTH-3279-A03",
+    "AUTH-3281-A01",
+    "AUTH-3286-A01",
+    "AUTH-3314-A01",
+    "AUTH-3314-A02",
+    "AUTH-3314-A03",
+    "AUTH-3333-A07",
+    "AUTH-3343",
+    "AUTH-3343-A02",
+    "AUTH-3394-A04",
+    "AUTH-3396-A01",
+    "AUTH-3396-A04",
+    "AUTH-3399",
+    "AUTH-3399-A03",
+    "AUTH-3399-A05",
+    "AUTH-3430-A07",
+    "AUTH-3450",
+    "AUTH-3452-A01",
+    "AUTH-3452-A05",
+    "AUTH-3454-A03",
+    "AUTH-3458-A01",
+    "AUTH-3460-A01",
+    "AUTH-3460-A02",
+    "AUTH-3460-A05",
+    "AUTH-3460-A07",
+    "AUTH-3460-A08",
+    "AUTH-3461-A02",
+    "AUTH-3461-A06",
+    "AUTH-3541-A01",
+    "AUTH-3541-A05",
+    "AUTH-3542-A08",
+    "AUTH-3545-A05",
+    "AUTH-3545-A09",
+    "AUTH-3547-A01",
+    "AUTH-3548-A02",
+    "AUTH-3549",
+    "AUTH-3552",
+    "AUTH-3552-A03",
+    "AUTH-3552-A05",
+    "AUTH-3554",
+    "AUTH-3554-A03",
+    "AUTH-3556-A03",
+    "AUTH-3558",
+    "AUTH-3558-A02",
+    "AUTH-3558-A04",
+    "AUTH-3562",
+    "AUTH-3594-A05",
+    "AUTH-3595-A01",
+    "AUTH-3596-A06",
+    "AUTH-3597",
+    "AUTH-3597-A03",
+    "AUTH-3597-A04",
+    "AUTH-3597-A05",
+    "AUTH-3597-A09",
+    "AUTH-3599-A02",
+    "AUTH-3599-A05",
+    "AUTH-3624",
+    "AUTH-3624-A01",
+    "AUTH-3624-A02",
+    "AUTH-3641",
+    "AUTH-3641-A01",
+    "AUTH-3641-A08",
+    "AUTH-3645-A05",
+    "AUTH-3645-A06",
+    "AUTH-3648-A06",
+    "AUTH-3656-A09",
+    "AUTH-3656-A12",
+    "AUTH-3656-A13",
+    "AUTH-3677-A06",
+    "AUTH-3704-A06",
+    "AUTH-3705",
+    "AUTH-3705-A01",
+    "AUTH-3751-A01",
+    "AUTH-3825-A01",
+    "AUTH-3825-A06",
+    "AUTH-384",
+    "AUTH-384-A05",
+    "AUTH-384-A07",
+    "AUTH-384-A10",
+    "AUTH-3887-A07",
+    "AUTH-3906",
+    "AUTH-3915-A03",
+    "AUTH-3922",
+    "AUTH-3923-A02",
+    "AUTH-3935",
+    "AUTH-3935-A10",
+    "AUTH-3935-A11",
+    "AUTH-3935-A12",
+    "AUTH-3935-A13",
+    "AUTH-3935-A14",
+    "AUTH-3935-A15",
+    "AUTH-3935-A16",
+    "AUTH-3935-A17",
+    "AUTH-3935-A18",
+    "AUTH-3935-A19",
+    "AUTH-3946-A03",
+    "AUTH-3946-A06",
+    "AUTH-3947-A06",
+    "AUTH-3951-A06",
+    "AUTH-3951-A07",
+    "AUTH-3955-A01",
+    "AUTH-3958",
+    "AUTH-3960-A02",
+    "AUTH-3960-A03",
+    "AUTH-3960-A04",
+    "AUTH-3962-A01",
+    "AUTH-3964-A06",
+    "AUTH-3968-A07",
+    "AUTH-3977-A03",
+    "AUTH-3984-A04",
+    "AUTH-3993-A01",
+    "AUTH-3993-A03",
+    "AUTH-3997",
+    "AUTH-3997-A02",
+    "AUTH-3999-A02",
+    "AUTH-4007",
+    "AUTH-4027-A03",
+    "AUTH-4030-A06",
+    "AUTH-4031-A06",
+    "AUTH-4032-A08",
+    "AUTH-4035",
+    "AUTH-4035-A05",
+    "AUTH-4035-A06",
+    "AUTH-4043-A08",
+    "AUTH-4048",
+    "AUTH-4053",
+    "AUTH-4054-A02",
+    "AUTH-4054-A04",
+    "AUTH-4054-A07",
+    "AUTH-4072-A06",
+    "AUTH-4076-A01",
+    "AUTH-4082-A01",
+    "AUTH-4095-A01",
+    "AUTH-4130",
+    "AUTH-4130-A01",
+    "AUTH-4133-A01",
+    "AUTH-4135",
+    "AUTH-451-A02",
+    "AUTH-474",
+    "AUTH-474-A02",
+    "AUTH-497",
+    "AUTH-497-A03",
+    "AUTH-500-A03",
+    "AUTH-505-A04",
+    "AUTH-520",
+    "AUTH-520-A01",
+    "AUTH-524-A08",
+    "AUTH-530-A01",
+    "AUTH-530-A05",
+    "AUTH-530-A08",
+    "AUTH-530-A11",
+    "AUTH-532",
+    "AUTH-538-A06",
+    "AUTH-548",
+    "AUTH-548-A01",
+    "AUTH-548-A03",
+    "AUTH-559",
+    "AUTH-559-A01",
+    "AUTH-559-A03",
+    "AUTH-559-A05",
+    "AUTH-559-A09",
+    "AUTH-559-A12",
+    "AUTH-577",
+    "AUTH-577-A05",
+    "AUTH-582",
+    "AUTH-582-A01",
+    "AUTH-584",
+    "AUTH-584-A01",
+    "AUTH-584-A02",
+    "AUTH-584-A08",
+    "AUTH-584-A09",
+    "AUTH-585",
+    "AUTH-585-A03",
+    "AUTH-592",
+    "AUTH-592-A02",
+    "AUTH-595",
+    "AUTH-595-A05",
+    "AUTH-595-A07",
+    "AUTH-610",
+    "AUTH-610-A06",
+    "AUTH-615",
+    "AUTH-615-A01",
+    "AUTH-615-A02",
+    "AUTH-615-A03",
+    "AUTH-615-A04",
+    "AUTH-615-A05",
+    "AUTH-616",
+    "AUTH-616-A01",
+    "AUTH-616-A02",
+    "AUTH-616-A03",
+    "AUTH-616-A05",
+    "AUTH-616-A06",
+    "AUTH-616-A12",
+    "AUTH-616-A13",
+    "AUTH-617",
+    "AUTH-621-A08",
+    "AUTH-621-A16",
+    "AUTH-623",
+    "AUTH-623-A01",
+    "AUTH-623-A02",
+    "AUTH-623-A03",
+    "AUTH-623-A04",
+    "AUTH-623-A05",
+    "AUTH-623-A06",
+    "AUTH-637-A08",
+    "AUTH-637-A09",
+    "AUTH-637-A30",
+    "AUTH-646-A04",
+    "AUTH-655-A10",
+    "AUTH-655-A11",
+    "AUTH-659",
+    "AUTH-659-A01",
+    "AUTH-661-A06",
+    "AUTH-661-A15",
+    "AUTH-670-A06",
+    "AUTH-694",
+    "AUTH-694-A02",
+    "AUTH-694-A03",
+    "AUTH-700-A02",
+    "AUTH-710-A03",
+    "AUTH-710-A04",
+    "AUTH-710-A05",
+    "AUTH-725-A03",
+    "AUTH-727",
+    "AUTH-730-A03",
+    "AUTH-730-A12",
+    "AUTH-732",
+    "AUTH-732-A04",
+    "AUTH-732-A05",
+    "AUTH-732-A06",
+    "AUTH-732-A07",
+    "AUTH-732-A08",
+    "AUTH-734",
+    "AUTH-734-A01",
+    "AUTH-734-A11",
+    "AUTH-745",
+    "AUTH-745-A01",
+    "AUTH-748-A05",
+    "AUTH-748-A06",
+    "AUTH-748-A10",
+    "AUTH-748-A11",
+    "AUTH-752",
+    "AUTH-752-A01",
+    "AUTH-752-A07",
+    "AUTH-774",
+    "AUTH-775-A10",
+    "AUTH-784",
+    "AUTH-784-A02",
+    "AUTH-784-A03",
+    "AUTH-784-A07",
+    "AUTH-785-A01",
+    "AUTH-803-A01",
+    "AUTH-803-A05",
+    "AUTH-803-A06",
+    "AUTH-803-A07",
+    "AUTH-803-A08",
+    "AUTH-804-A06",
+    "AUTH-807",
+    "AUTH-807-A01",
+    "AUTH-818-A02",
+    "AUTH-822-A04",
+    "AUTH-822-A05",
+    "AUTH-822-A07",
+    "AUTH-822-A09",
+    "AUTH-825-A05",
+    "AUTH-827-A05",
+    "AUTH-827-A06",
+    "AUTH-827-A09",
+    "AUTH-827-A14",
+    "AUTH-828-A05",
+    "AUTH-828-A09",
+    "AUTH-828-A10",
+    "AUTH-836-A04",
+    "AUTH-836-A05",
+    "AUTH-836-A07",
+    "AUTH-836-A11",
+    "AUTH-836-A16",
+    "AUTH-837-A06",
+    "AUTH-837-A13",
+    "AUTH-838-A10",
+    "AUTH-838-A17",
+    "AUTH-838-A26",
+    "AUTH-838-A36",
+    "AUTH-838-A44",
+    "AUTH-844-A03",
+    "AUTH-844-A12",
+    "AUTH-844-A20",
+    "AUTH-844-A27",
+    "AUTH-844-A36",
+    "AUTH-845",
+    "AUTH-845-A01",
+    "AUTH-845-A13",
+    "AUTH-845-A24",
+    "AUTH-845-A27",
+    "AUTH-845-A45",
+    "AUTH-846",
+    "AUTH-846-A01",
+    "AUTH-846-A02",
+    "AUTH-846-A03",
+    "AUTH-846-A10",
+    "AUTH-846-A11",
+    "AUTH-846-A12",
+    "AUTH-846-A20",
+    "AUTH-846-A21",
+    "AUTH-846-A22",
+    "AUTH-846-A30",
+    "AUTH-846-A31",
+    "AUTH-846-A32",
+    "AUTH-846-A39",
+    "AUTH-846-A40",
+    "AUTH-846-A41",
+    "AUTH-849",
+    "AUTH-849-A10",
+    "AUTH-849-A17",
+    "AUTH-849-A23",
+    "AUTH-849-A34",
+    "AUTH-849-A40",
+    "AUTH-849-A49",
+    "AUTH-849-A55",
+    "AUTH-851-A01",
+    "AUTH-851-A02",
+    "AUTH-851-A46",
+    "AUTH-885-A03",
+    "AUTH-885-A10",
+    "AUTH-885-A17",
+    "AUTH-885-A22",
+    "AUTH-885-A31",
+    "AUTH-888-A03",
+    "AUTH-888-A10",
+    "AUTH-888-A17",
+    "AUTH-888-A25",
+    "AUTH-888-A30",
+    "AUTH-888-A33",
+    "AUTH-888-A37",
+    "AUTH-894",
+    "AUTH-894-A06",
+    "AUTH-894-A11",
+    "AUTH-894-A12",
+    "AUTH-894-A17",
+    "AUTH-894-A22",
+    "AUTH-902-A01",
+    "AUTH-902-A11",
+    "AUTH-902-A17",
+    "AUTH-903-A23",
+    "AUTH-905-A04",
+    "AUTH-905-A09",
+    "AUTH-905-A14",
+    "AUTH-905-A17",
+    "AUTH-905-A22",
+    "AUTH-909-A02",
+    "AUTH-909-A12",
+    "AUTH-909-A22",
+    "AUTH-909-A32",
+    "AUTH-909-A42",
+    "AUTH-913-A05",
+    "AUTH-914",
+    "AUTH-915",
+    "AUTH-915-A07",
+    "AUTH-915-A13",
+    "AUTH-915-A14",
+    "AUTH-917",
+    "AUTH-917-A01",
+    "AUTH-917-A04",
+    "AUTH-917-A05",
+    "AUTH-917-A06",
+    "AUTH-917-A09",
+    "AUTH-917-A10",
+    "AUTH-917-A11",
+    "AUTH-917-A14",
+    "AUTH-917-A15",
+    "AUTH-917-A16",
+    "AUTH-917-A17",
+    "AUTH-917-A20",
+    "AUTH-917-A21",
+    "AUTH-917-A22",
+    "AUTH-917-A24",
+    "AUTH-917-A25",
+    "AUTH-917-A26",
+    "AUTH-919-A01",
+    "AUTH-919-A07",
+    "AUTH-922-A02",
+    "AUTH-922-A08",
+    "AUTH-928-A07",
+    "AUTH-928-A13",
+    "AUTH-928-A19",
+    "AUTH-928-A25",
+    "AUTH-928-A30",
+    "AUTH-932",
+    "AUTH-937-A01",
+    "AUTH-937-A08",
+    "AUTH-937-A15",
+    "AUTH-937-A22",
+    "AUTH-937-A29",
+    "AUTH-938-A01",
+    "AUTH-938-A02",
+    "AUTH-938-A03",
+    "AUTH-938-A08",
+    "AUTH-938-A09",
+    "AUTH-938-A10",
+    "AUTH-938-A13",
+    "AUTH-938-A14",
+    "AUTH-938-A19",
+    "AUTH-938-A20",
+    "AUTH-938-A21",
+    "AUTH-938-A26",
+    "AUTH-938-A27",
+    "AUTH-938-A28",
+    "AUTH-938-A36",
+    "AUTH-938-A37",
+    "AUTH-938-A38",
+    "AUTH-941",
+    "AUTH-941-A04",
+    "AUTH-941-A05",
+    "AUTH-941-A10",
+    "AUTH-941-A11",
+    "AUTH-941-A14",
+    "AUTH-941-A17",
+    "AUTH-941-A18",
+    "AUTH-941-A23",
+    "AUTH-941-A24",
+    "AUTH-942-A13",
+    "AUTH-948",
+    "AUTH-949-A18",
+    "AUTH-954-A15",
+    "AUTH-974-A07",
+    "AUTH-988-A09",
+    "AUTH-988-A20",
+    "AUTH-989-A18",
+    "COMP-001-A41",
+    "COMP-001-A83",
+    "COMP-1079-A02",
+    "COMP-1079-A10",
+    "COMP-1264-A01",
+    "COMP-1264-A02",
+    "COMP-1264-A05",
+    "COMP-1812-A02",
+    "COMP-1817",
+    "COMP-1883-A01",
+    "COMP-1883-A03",
+    "COMP-1904-A01",
+    "COMP-1904-A04",
+    "COMP-1904-A05",
+    "COMP-1951-A03",
+    "COMP-1960-A06",
+    "COMP-1960-A09",
+    "COMP-2012-A02",
+    "COMP-2029-A04",
+    "COMP-2131-A09",
+    "COMP-2182-A02",
+    "COMP-2627-A08",
+    "COMP-2639-A04",
+    "COMP-2652-A02",
+    "COMP-3435-A01",
+    "COMP-3435-A05",
+    "COMP-3602",
+    "COMP-3602-A01",
+    "COMP-3602-A08",
+    "COMP-3602-A10",
+    "COMP-3733-A03",
+    "COMP-3739-A09",
+    "COMP-3981",
+    "COMP-3983-A02",
+    "COMP-3983-A04",
+    "COMP-3983-A05",
+    "COMP-3983-A09",
+    "COMP-3983-A10",
+    "COMP-3983-A11",
+    "COMP-3983-A14",
+    "CRYP-1017-A01",
+    "CRYP-1097-A09",
+    "CRYP-1103-A11",
+    "CRYP-1124-A05",
+    "CRYP-1134",
+    "CRYP-1252-A02",
+    "CRYP-1255-A01",
+    "CRYP-1305-A03",
+    "CRYP-1306-A07",
+    "CRYP-1385-A02",
+    "CRYP-1386-A08",
+    "CRYP-1391-A05",
+    "CRYP-1393-A03",
+    "CRYP-1421-A03",
+    "CRYP-1466-A03",
+    "CRYP-1466-A05",
+    "CRYP-1525-A06",
+    "CRYP-1652-A10",
+    "CRYP-1684-A01",
+    "CRYP-1694-A01",
+    "CRYP-1712-A15",
+    "CRYP-1725-A07",
+    "CRYP-1750-A14",
+    "CRYP-1756-A05",
+    "CRYP-1788-A03",
+    "CRYP-1819-A02",
+    "CRYP-1864",
+    "CRYP-1864-A02",
+    "CRYP-1864-A03",
+    "CRYP-190-A12",
+    "CRYP-190-A13",
+    "CRYP-1968-A15",
+    "CRYP-1983-A01",
+    "CRYP-2094-A03",
+    "CRYP-2142-A02",
+    "CRYP-2144-A02",
+    "CRYP-2192-A03",
+    "CRYP-2192-A06",
+    "CRYP-2287-A12",
+    "CRYP-2294-A09",
+    "CRYP-335-A03",
+    "CRYP-425-A02",
+    "CRYP-447-A16",
+    "CRYP-450-A05",
+    "CRYP-450-A06",
+    "CRYP-450-A40",
+    "CRYP-450-A52",
+    "CRYP-450-A53",
+    "CRYP-626",
+    "CRYP-655-A01",
+    "CRYP-655-A07",
+    "CRYP-671-A08",
+    "CRYP-749-A05",
+    "CRYP-773-A02",
+    "CRYP-809-A02",
+    "CRYP-822-A03",
+    "CRYP-868-A02",
+    "CRYP-952-A08",
+    "DATA-014-A01",
+    "DATA-1136-A06",
+    "DATA-1161-A02",
+    "DATA-1191-A10",
+    "DATA-1207-A03",
+    "DATA-1257-A05",
+    "DATA-1257-A09",
+    "DATA-1701-A05",
+    "DATA-1801-A06",
+    "DATA-1881-A01",
+    "DATA-2057-A21",
+    "DATA-2119-A01",
+    "DATA-2427-A01",
+    "DATA-2533-A01",
+    "DATA-2558-A03",
+    "DATA-260-A02",
+    "DATA-260-A08",
+    "DATA-2607-A05",
+    "DATA-2648-A01",
+    "DATA-2668-A01",
+    "DATA-3292-A01",
+    "DATA-3324-A05",
+    "DATA-3401-A01",
+    "DATA-3613-A01",
+    "DATA-3649-A09",
+    "DATA-3692-A04",
+    "DATA-3754-A03",
+    "DATA-4203-A05",
+    "DATA-4294-A13",
+    "DATA-879-A03",
+    "DATA-972-A06",
+    "DATA-972-A12",
+    "FIN-1094-A03",
+    "FIN-1223-A06",
+    "FIN-1223-A10",
+    "FIN-606-A06",
+    "FIN-852",
+    "FIN-852-A04",
+    "FIN-891-A08",
+    "GIA-002-A02",
+    "GIA-002-A06",
+    "GOV-0661-A15",
+    "GOV-1435-A08",
+    "GOV-1562-A05",
+    "GOV-1605-A01",
+    "GOV-1611-A04",
+    "GOV-1648-A01",
+    "GOV-1648-A02",
+    "GOV-1700-A01",
+    "GOV-1732-A01",
+    "GOV-1733-A04",
+    "GOV-3072-A05",
+    "GOV-3501-A02",
+    "GOV-3860-A09",
+    "GOV-3860-A10",
+    "GOV-3871",
+    "GOV-3902-A01",
+    "GOV-3909-A01",
+    "GOV-3909-A02",
+    "GOV-413-A18",
+    "GOV-519",
+    "GOV-519-A11",
+    "GOV-519-A35",
+    "GOV-520-A40",
+    "GOV-877-A05",
+    "HLT-524-A04",
+    "HLT-532-A06",
+    "HLT-559-A03",
+    "IAM-008",
+    "IDA-005",
+    "IDA-008-A01",
+    "IDA-008-A04",
+    "IDF-004-A02",
+    "IDF-010",
+    "IDF-010-A01",
+    "INC-071-A14",
+    "INC-1142-A03",
+    "INC-946-A06",
+    "LAB-246-A08",
+    "LGM-001-A09",
+    "LOG-053-A07",
+    "LOG-1086-A03",
+    "LOG-1087-A03",
+    "LOG-1087-A11",
+    "LOG-121-A04",
+    "LOG-121-A17",
+    "LOG-1549-A05",
+    "LOG-1549-A08",
+    "LOG-1742-A05",
+    "LOG-1742-A08",
+    "LOG-1742-A13",
+    "LOG-1748-A01",
+    "LOG-1767-A02",
+    "LOG-1859",
+    "LOG-1859-A04",
+    "LOG-1859-A10",
+    "LOG-705-A01",
+    "LOG-735-A17",
+    "LOG-735-A18",
+    "LOG-745-A44",
+    "LOG-745-A54",
+    "LOG-774-A01",
+    "LOG-774-A15",
+    "LOG-774-A22",
+    "LOG-774-A29",
+    "MIA-001",
+    "NET-076-A07",
+    "NET-076-A14",
+    "NET-1014-A03",
+    "NET-1014-A07",
+    "NET-1249-A05",
+    "NET-1274-A01",
+    "NET-1277-A01",
+    "NET-1303-A01",
+    "NET-1309-A02",
+    "NET-1464-A05",
+    "NET-1466-A04",
+    "NET-1476-A09",
+    "NET-1633",
+    "NET-1633-A01",
+    "NET-1669-A02",
+    "NET-1669-A07",
+    "NET-1683-A06",
+    "NET-1787-A11",
+    "NET-1855-A01",
+    "NET-1856-A10",
+    "NET-1858-A08",
+    "NET-351",
+    "NET-351-A01",
+    "NET-351-A02",
+    "NET-351-A06",
+    "NET-351-A07",
+    "NET-391",
+    "NET-391-A01",
+    "NET-391-A08",
+    "NET-405",
+    "NET-405-A03",
+    "NET-405-A08",
+    "NET-405-A09",
+    "NET-465-A02",
+    "NET-465-A07",
+    "NET-506-A15",
+    "NET-506-A60",
+    "NET-527-A04",
+    "NET-527-A15",
+    "NET-527-A23",
+    "NET-794-A06",
+    "NET-825-A03",
+    "NET-855-A05",
+    "NET-857-A01",
+    "NET-857-A02",
+    "NET-857-A04",
+    "NET-857-A05",
+    "NET-860-A01",
+    "NET-860-A02",
+    "NET-867-A02",
+    "NET-928-A02",
+    "NET-965-A03",
+    "NET-980-A07",
+    "NET-981-A10",
+    "NET-982-A02",
+    "PFI-001-A02",
+    "PRC-012-A01",
+    "SEC-008-A13",
+    "SEC-082-A06",
+    "SEC-1144-A03",
+    "SEC-1144-A28",
+    "SEC-1144-A42",
+    "SEC-1144-A56",
+    "SEC-1144-A70",
+    "SEC-1146-A02",
+    "SEC-1146-A07",
+    "SEC-1146-A54",
+    "SEC-1146-A59",
+    "SEC-1153-A12",
+    "SEC-1215-A05",
+    "SEC-1221-A10",
+    "SEC-2007-A02",
+    "SEC-2635-A03",
+    "SEC-2635-A04",
+    "SEC-2643-A07",
+    "SEC-2662-A07",
+    "SEC-2662-A13",
+    "SEC-2698-A01",
+    "SEC-2738-A02",
+    "SEC-2788-A06",
+    "SEC-2818-A05",
+    "SEC-2845-A09",
+    "SEC-2899",
+    "SEC-2899-A04",
+    "SEC-2899-A05",
+    "SEC-2899-A06",
+    "SEC-2927-A04",
+    "SEC-3065-A02",
+    "SEC-3157-A07",
+    "SEC-3159-A05",
+    "SEC-3195-A04",
+    "SEC-3217-A03",
+    "SEC-3383-A08",
+    "SEC-3709-A10",
+    "SEC-3732-A08",
+    "SEC-3872-A01",
+    "SEC-3931-A02",
+    "SEC-3931-A10",
+    "SEC-3935-A02",
+    "SEC-4010-A09",
+    "SEC-4217",
+    "SEC-4254-A03",
+    "SEC-4414-A04",
+    "SEC-4513",
+    "SEC-4513-A04",
+    "SEC-4560",
+    "SEC-4561",
+    "SEC-4561-A01",
+    "SEC-4561-A02",
+    "SEC-4561-A03",
+    "SEC-4561-A07",
+    "SEC-4655-A03",
+    "SEC-4655-A04",
+    "SEC-5505-A02",
+    "SEC-5595-A13",
+    "SEC-5610-A03",
+    "SEC-5615",
+    "SEC-5792-A02",
+    "SEC-5792-A03",
+    "SEC-5858-A07",
+    "SEC-5880-A03",
+    "SEC-6093-A01",
+    "SEC-6153-A10",
+    "SEC-6170-A02",
+    "SEC-6296",
+    "SEC-6724-A05",
+    "SEC-6770",
+    "SEC-6771-A04",
+    "SEC-6784-A10",
+    "SEC-6830-A05",
+    "SEC-6919-A03",
+    "SEC-6956-A06",
+    "SEC-7022-A04",
+    "SEC-7108-A03",
+    "SEC-7229-A09",
+    "SEC-7237-A02",
+    "SEC-7343-A03",
+    "SEC-7398-A03",
+    "SEC-7442-A04",
+    "SEC-7963-A02",
+    "SEC-7967",
+    "SEC-7993-A02",
+    "SEC-7994",
+    "SEC-7994-A06",
+    "SEC-8016",
+    "SEC-8041-A07",
+    "SEC-8121-A05",
+    "SEC-8138-A03",
+    "SEC-8155-A02",
+    "SEC-8257-A02",
+    "SEC-9014-A16",
+    "SEC-9136-A08",
+    "SEC-9175",
+    "SEC-9212-A01",
+    "SEC-9212-A02"
+   ],
+   "member_count": 1339,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.95,
+    "source_meta_cluster": "M5",
+    "cluster_size": 339,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "evidence_merged_from": [
+    "auth_testing"
+   ]
+  },
+  {
+   "id": "authentication_policy_documented",
+   "name": "Authentifizierungsrichtlinie dokumentieren",
+   "description": "Eine Authentifizierungs- und Autorisierungsrichtlinie ist zu dokumentieren, zu versionieren und aktuell zu halten.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": false,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "ISO",
+     "anchor": "ISO 27001 A.5.17",
+     "role": "best_practice"
+    },
+    {
+     "source": "Warnungen bei unsicheren Authentifizierungsmethoden",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "weak_method_warnings"
+    }
+   ],
+   "member_review_units": [
+    "M3",
+    "M35",
+    "M40",
+    "M116"
+   ],
+   "member_controls": [
+    "ACC-0383-A06",
+    "ACC-0384-A02",
+    "ACC-0384-A03",
+    "ACC-082-A06",
+    "ACC-082-A07",
+    "ACC-082-A15",
+    "ACC-082-A16",
+    "ACC-320",
+    "ACC-320-A01",
+    "ACC-320-A02",
+    "ACC-320-A03",
+    "ACC-320-A04",
+    "ACC-320-A06",
+    "ACC-320-A09",
+    "ACC-320-A10",
+    "ACC-320-A11",
+    "ACC-320-A12",
+    "ACC-320-A13",
+    "ACC-320-A17",
+    "ACC-320-A19",
+    "ACC-320-A20",
+    "ACC-320-A21",
+    "ACC-320-A26",
+    "ACC-320-A28",
+    "ACC-320-A29",
+    "ACC-320-A35",
+    "ACC-320-A36",
+    "ACC-320-A37",
+    "ACC-320-A41",
+    "ACC-320-A43",
+    "ACC-320-A44",
+    "ACC-320-A45",
+    "ACC-327-A18",
+    "ACC-327-A60",
+    "ACC-427",
+    "ACC-427-A01",
+    "ACC-427-A11",
+    "ACC-518-A06",
+    "ACC-567-A10",
+    "ACC-568-A05",
+    "ACC-571-A09",
+    "ACC-741-A03",
+    "ACC-741-A05",
+    "ACC-754-A05",
+    "ACL-004-A04",
+    "AI-052-A26",
+    "AI-052-A27",
+    "AI-1027-A07",
+    "AI-1311-A05",
+    "AI-1311-A09",
+    "AI-1417-A06",
+    "AI-1715-A08",
+    "AUTH-013-A09",
+    "AUTH-014",
+    "AUTH-014-A18",
+    "AUTH-014-A25",
+    "AUTH-014-A26",
+    "AUTH-032",
+    "AUTH-043",
+    "AUTH-045",
+    "AUTH-067-A12",
+    "AUTH-088-A01",
+    "AUTH-088-A02",
+    "AUTH-088-A07",
+    "AUTH-1004-A01",
+    "AUTH-1009-A01",
+    "AUTH-1009-A03",
+    "AUTH-1011-A01",
+    "AUTH-1011-A11",
+    "AUTH-1011-A13",
+    "AUTH-1026",
+    "AUTH-1026-A01",
+    "AUTH-1088-A01",
+    "AUTH-1088-A04",
+    "AUTH-1095-A01",
+    "AUTH-1095-A04",
+    "AUTH-1096-A04",
+    "AUTH-1101-A01",
+    "AUTH-1101-A06",
+    "AUTH-1110-A03",
+    "AUTH-1276",
+    "AUTH-1282",
+    "AUTH-1283-A02",
+    "AUTH-1283-A03",
+    "AUTH-1283-A04",
+    "AUTH-1283-A05",
+    "AUTH-1295-A02",
+    "AUTH-1295-A05",
+    "AUTH-1298",
+    "AUTH-1298-A01",
+    "AUTH-1298-A02",
+    "AUTH-1298-A03",
+    "AUTH-1310-A04",
+    "AUTH-1311-A02",
+    "AUTH-1313-A01",
+    "AUTH-1313-A02",
+    "AUTH-1314-A04",
+    "AUTH-1426-A05",
+    "AUTH-1437",
+    "AUTH-1437-A01",
+    "AUTH-1437-A02",
+    "AUTH-1437-A06",
+    "AUTH-1448-A01",
+    "AUTH-1455-A02",
+    "AUTH-1463-A02",
+    "AUTH-1480",
+    "AUTH-1480-A01",
+    "AUTH-1519-A02",
+    "AUTH-1524-A03",
+    "AUTH-1529-A06",
+    "AUTH-1535-A04",
+    "AUTH-1576-A01",
+    "AUTH-1579-A01",
+    "AUTH-1579-A02",
+    "AUTH-1623-A03",
+    "AUTH-1623-A04",
+    "AUTH-1623-A07",
+    "AUTH-1623-A08",
+    "AUTH-1624-A11",
+    "AUTH-1627",
+    "AUTH-1634",
+    "AUTH-1634-A01",
+    "AUTH-1637-A09",
+    "AUTH-1640-A03",
+    "AUTH-1645-A04",
+    "AUTH-1646",
+    "AUTH-1669-A01",
+    "AUTH-1677-A02",
+    "AUTH-1677-A08",
+    "AUTH-1678-A07",
+    "AUTH-1693",
+    "AUTH-1693-A01",
+    "AUTH-1694-A06",
+    "AUTH-1711-A02",
+    "AUTH-1711-A08",
+    "AUTH-1711-A09",
+    "AUTH-1711-A10",
+    "AUTH-1716-A02",
+    "AUTH-1716-A03",
+    "AUTH-1720-A05",
+    "AUTH-1721-A01",
+    "AUTH-1721-A03",
+    "AUTH-1734-A02",
+    "AUTH-1746",
+    "AUTH-1746-A01",
+    "AUTH-1747-A01",
+    "AUTH-1753-A05",
+    "AUTH-1810-A01",
+    "AUTH-1812-A02",
+    "AUTH-1812-A05",
+    "AUTH-1814-A01",
+    "AUTH-1814-A02",
+    "AUTH-1818-A06",
+    "AUTH-1835-A04",
+    "AUTH-1835-A08",
+    "AUTH-1837",
+    "AUTH-1837-A02",
+    "AUTH-1839-A05",
+    "AUTH-1843-A07",
+    "AUTH-1843-A09",
+    "AUTH-1844-A04",
+    "AUTH-1858",
+    "AUTH-1859",
+    "AUTH-1859-A04",
+    "AUTH-1859-A05",
+    "AUTH-1859-A07",
+    "AUTH-1864-A02",
+    "AUTH-1864-A04",
+    "AUTH-1864-A05",
+    "AUTH-1864-A06",
+    "AUTH-1864-A07",
+    "AUTH-1864-A08",
+    "AUTH-1877-A05",
+    "AUTH-1877-A08",
+    "AUTH-1877-A11",
+    "AUTH-1901-A02",
+    "AUTH-1908-A02",
+    "AUTH-1908-A04",
+    "AUTH-1909-A02",
+    "AUTH-1909-A06",
+    "AUTH-1909-A07",
+    "AUTH-1909-A08",
+    "AUTH-1910-A09",
+    "AUTH-1913",
+    "AUTH-1915",
+    "AUTH-1915-A01",
+    "AUTH-1917-A04",
+    "AUTH-1917-A08",
+    "AUTH-1938-A04",
+    "AUTH-1943-A04",
+    "AUTH-1947-A07",
+    "AUTH-1952-A05",
+    "AUTH-1952-A06",
+    "AUTH-1952-A08",
+    "AUTH-1959",
+    "AUTH-1959-A02",
+    "AUTH-1959-A04",
+    "AUTH-1959-A06",
+    "AUTH-1959-A08",
+    "AUTH-2280",
+    "AUTH-2280-A01",
+    "AUTH-2317-A02",
+    "AUTH-2333-A01",
+    "AUTH-2333-A02",
+    "AUTH-2338-A06",
+    "AUTH-2368-A03",
+    "AUTH-2368-A08",
+    "AUTH-2371",
+    "AUTH-2371-A03",
+    "AUTH-2371-A05",
+    "AUTH-2372-A01",
+    "AUTH-2375-A05",
+    "AUTH-2382-A01",
+    "AUTH-2399",
+    "AUTH-2399-A04",
+    "AUTH-2400-A07",
+    "AUTH-2403",
+    "AUTH-2403-A02",
+    "AUTH-2403-A06",
+    "AUTH-2405-A05",
+    "AUTH-2413-A05",
+    "AUTH-2413-A06",
+    "AUTH-2416",
+    "AUTH-2416-A01",
+    "AUTH-2416-A03",
+    "AUTH-2416-A05",
+    "AUTH-2416-A07",
+    "AUTH-2416-A08",
+    "AUTH-2417-A06",
+    "AUTH-2417-A07",
+    "AUTH-2417-A11",
+    "AUTH-2417-A13",
+    "AUTH-2420",
+    "AUTH-2423",
+    "AUTH-2423-A04",
+    "AUTH-2430-A01",
+    "AUTH-2438",
+    "AUTH-2438-A03",
+    "AUTH-2441-A06",
+    "AUTH-2444-A01",
+    "AUTH-2444-A07",
+    "AUTH-2451-A04",
+    "AUTH-2464-A03",
+    "AUTH-2466-A04",
+    "AUTH-2466-A12",
+    "AUTH-2543-A04",
+    "AUTH-2573-A03",
+    "AUTH-2678-A04",
+    "AUTH-2678-A05",
+    "AUTH-2678-A06",
+    "AUTH-2678-A07",
+    "AUTH-2689-A07",
+    "AUTH-2779",
+    "AUTH-2781-A07",
+    "AUTH-2793-A01",
+    "AUTH-2801",
+    "AUTH-2817",
+    "AUTH-2817-A01",
+    "AUTH-2847-A15",
+    "AUTH-2850-A04",
+    "AUTH-2851",
+    "AUTH-2851-A09",
+    "AUTH-2852",
+    "AUTH-2873-A01",
+    "AUTH-2873-A05",
+    "AUTH-2873-A06",
+    "AUTH-2875-A02",
+    "AUTH-2875-A05",
+    "AUTH-2877-A01",
+    "AUTH-2877-A05",
+    "AUTH-2880-A01",
+    "AUTH-2880-A08",
+    "AUTH-2886-A05",
+    "AUTH-2889-A05",
+    "AUTH-2906-A01",
+    "AUTH-2906-A08",
+    "AUTH-2913-A13",
+    "AUTH-2921",
+    "AUTH-2943-A08",
+    "AUTH-2945",
+    "AUTH-2949-A09",
+    "AUTH-2956",
+    "AUTH-2959-A03",
+    "AUTH-2960-A08",
+    "AUTH-2970-A02",
+    "AUTH-2970-A07",
+    "AUTH-2970-A09",
+    "AUTH-2975",
+    "AUTH-2977-A06",
+    "AUTH-2981-A01",
+    "AUTH-2987-A06",
+    "AUTH-2989-A01",
+    "AUTH-2995",
+    "AUTH-3008-A02",
+    "AUTH-3016-A14",
+    "AUTH-3017-A07",
+    "AUTH-3018-A05",
+    "AUTH-3045",
+    "AUTH-3045-A01",
+    "AUTH-3045-A02",
+    "AUTH-3045-A03",
+    "AUTH-3064-A04",
+    "AUTH-3065-A03",
+    "AUTH-3065-A04",
+    "AUTH-3068",
+    "AUTH-3068-A01",
+    "AUTH-3068-A02",
+    "AUTH-3068-A03",
+    "AUTH-3068-A04",
+    "AUTH-3068-A05",
+    "AUTH-3070-A03",
+    "AUTH-3071-A01",
+    "AUTH-3071-A03",
+    "AUTH-3071-A04",
+    "AUTH-3071-A09",
+    "AUTH-3073-A01",
+    "AUTH-3073-A05",
+    "AUTH-3074-A03",
+    "AUTH-3074-A04",
+    "AUTH-3075-A01",
+    "AUTH-3150-A03",
+    "AUTH-3150-A04",
+    "AUTH-3150-A05",
+    "AUTH-3150-A06",
+    "AUTH-3150-A09",
+    "AUTH-3151",
+    "AUTH-3151-A01",
+    "AUTH-3151-A07",
+    "AUTH-3151-A10",
+    "AUTH-3151-A12",
+    "AUTH-3154-A02",
+    "AUTH-3154-A06",
+    "AUTH-3155-A04",
+    "AUTH-3161-A04",
+    "AUTH-3164-A02",
+    "AUTH-3164-A05",
+    "AUTH-3164-A07",
+    "AUTH-3164-A12",
+    "AUTH-3166-A01",
+    "AUTH-3166-A02",
+    "AUTH-3170",
+    "AUTH-3170-A01",
+    "AUTH-3170-A02",
+    "AUTH-3230-A01",
+    "AUTH-3255-A02",
+    "AUTH-3258-A02",
+    "AUTH-3258-A12",
+    "AUTH-3279-A03",
+    "AUTH-3284",
+    "AUTH-3284-A03",
+    "AUTH-3300-A10",
+    "AUTH-3305",
+    "AUTH-3305-A05",
+    "AUTH-3314-A01",
+    "AUTH-3314-A02",
+    "AUTH-3314-A03",
+    "AUTH-3394-A02",
+    "AUTH-3394-A04",
+    "AUTH-3396-A02",
+    "AUTH-3396-A04",
+    "AUTH-3425-A03",
+    "AUTH-3428-A01",
+    "AUTH-3430-A01",
+    "AUTH-3430-A06",
+    "AUTH-3430-A12",
+    "AUTH-3460-A02",
+    "AUTH-3460-A03",
+    "AUTH-3461-A02",
+    "AUTH-3461-A04",
+    "AUTH-3461-A06",
+    "AUTH-3541-A03",
+    "AUTH-3541-A05",
+    "AUTH-3541-A08",
+    "AUTH-3548-A01",
+    "AUTH-3550-A01",
+    "AUTH-3550-A02",
+    "AUTH-3554-A01",
+    "AUTH-3554-A05",
+    "AUTH-3556-A03",
+    "AUTH-3558-A04",
+    "AUTH-3562-A03",
+    "AUTH-3594-A08",
+    "AUTH-3595-A11",
+    "AUTH-3596-A06",
+    "AUTH-3597",
+    "AUTH-3597-A01",
+    "AUTH-3597-A04",
+    "AUTH-3597-A05",
+    "AUTH-3597-A08",
+    "AUTH-3624",
+    "AUTH-3624-A01",
+    "AUTH-3624-A02",
+    "AUTH-3633-A07",
+    "AUTH-3633-A10",
+    "AUTH-3634-A05",
+    "AUTH-3641-A05",
+    "AUTH-3652-A08",
+    "AUTH-3656-A05",
+    "AUTH-3656-A06",
+    "AUTH-3656-A08",
+    "AUTH-3677-A06",
+    "AUTH-3705-A10",
+    "AUTH-3712",
+    "AUTH-3751-A04",
+    "AUTH-384-A06",
+    "AUTH-3865-A07",
+    "AUTH-3887-A07",
+    "AUTH-3900-A04",
+    "AUTH-3904",
+    "AUTH-3904-A01",
+    "AUTH-3904-A02",
+    "AUTH-3904-A04",
+    "AUTH-3908-A02",
+    "AUTH-3908-A03",
+    "AUTH-3922",
+    "AUTH-3935-A16",
+    "AUTH-3946-A04",
+    "AUTH-3951-A01",
+    "AUTH-3951-A02",
+    "AUTH-3951-A03",
+    "AUTH-3951-A04",
+    "AUTH-3951-A05",
+    "AUTH-3951-A06",
+    "AUTH-3951-A07",
+    "AUTH-3951-A09",
+    "AUTH-3955-A07",
+    "AUTH-3958-A01",
+    "AUTH-3958-A03",
+    "AUTH-3958-A06",
+    "AUTH-3960-A01",
+    "AUTH-3960-A04",
+    "AUTH-3960-A05",
+    "AUTH-3963-A05",
+    "AUTH-3963-A06",
+    "AUTH-3964",
+    "AUTH-3964-A01",
+    "AUTH-3964-A02",
+    "AUTH-3964-A03",
+    "AUTH-3964-A04",
+    "AUTH-3964-A05",
+    "AUTH-3964-A06",
+    "AUTH-3968-A02",
+    "AUTH-3968-A04",
+    "AUTH-3984-A02",
+    "AUTH-3987",
+    "AUTH-3987-A02",
+    "AUTH-3999-A01",
+    "AUTH-4004",
+    "AUTH-4007-A06",
+    "AUTH-4031-A01",
+    "AUTH-4031-A07",
+    "AUTH-4032-A11",
+    "AUTH-4036-A01",
+    "AUTH-4036-A05",
+    "AUTH-4043",
+    "AUTH-4043-A06",
+    "AUTH-4050",
+    "AUTH-4054-A07",
+    "AUTH-4054-A08",
+    "AUTH-4121-A02",
+    "AUTH-4130-A03",
+    "AUTH-4135-A03",
+    "AUTH-474-A07",
+    "AUTH-497",
+    "AUTH-497-A03",
+    "AUTH-505-A04",
+    "AUTH-509-A05",
+    "AUTH-509-A06",
+    "AUTH-530-A01",
+    "AUTH-530-A05",
+    "AUTH-530-A08",
+    "AUTH-530-A11",
+    "AUTH-559",
+    "AUTH-559-A01",
+    "AUTH-559-A03",
+    "AUTH-559-A05",
+    "AUTH-559-A16",
+    "AUTH-582",
+    "AUTH-582-A01",
+    "AUTH-584",
+    "AUTH-584-A01",
+    "AUTH-584-A02",
+    "AUTH-584-A08",
+    "AUTH-584-A09",
+    "AUTH-592-A05",
+    "AUTH-592-A06",
+    "AUTH-595",
+    "AUTH-595-A05",
+    "AUTH-610",
+    "AUTH-610-A06",
+    "AUTH-615",
+    "AUTH-615-A01",
+    "AUTH-615-A02",
+    "AUTH-615-A03",
+    "AUTH-615-A04",
+    "AUTH-615-A05",
+    "AUTH-616",
+    "AUTH-616-A01",
+    "AUTH-616-A02",
+    "AUTH-616-A03",
+    "AUTH-616-A05",
+    "AUTH-616-A06",
+    "AUTH-616-A12",
+    "AUTH-616-A13",
+    "AUTH-616-A15",
+    "AUTH-616-A16",
+    "AUTH-617",
+    "AUTH-623",
+    "AUTH-623-A01",
+    "AUTH-623-A02",
+    "AUTH-623-A03",
+    "AUTH-623-A04",
+    "AUTH-623-A05",
+    "AUTH-623-A06",
+    "AUTH-637-A08",
+    "AUTH-637-A09",
+    "AUTH-637-A30",
+    "AUTH-665",
+    "AUTH-670",
+    "AUTH-694",
+    "AUTH-694-A03",
+    "AUTH-694-A06",
+    "AUTH-710-A05",
+    "AUTH-718",
+    "AUTH-732-A04",
+    "AUTH-732-A05",
+    "AUTH-745",
+    "AUTH-745-A01",
+    "AUTH-745-A04",
+    "AUTH-745-A05",
+    "AUTH-748-A05",
+    "AUTH-748-A06",
+    "AUTH-748-A10",
+    "AUTH-748-A11",
+    "AUTH-751",
+    "AUTH-752",
+    "AUTH-752-A01",
+    "AUTH-752-A07",
+    "AUTH-784-A01",
+    "AUTH-784-A03",
+    "AUTH-789-A03",
+    "AUTH-803-A07",
+    "AUTH-804-A06",
+    "AUTH-818-A02",
+    "AUTH-818-A08",
+    "AUTH-818-A14",
+    "AUTH-822-A04",
+    "AUTH-822-A05",
+    "AUTH-825-A05",
+    "AUTH-831",
+    "AUTH-836-A04",
+    "AUTH-836-A11",
+    "AUTH-838-A11",
+    "AUTH-838-A18",
+    "AUTH-838-A27",
+    "AUTH-838-A37",
+    "AUTH-838-A45",
+    "AUTH-845-A01",
+    "AUTH-845-A13",
+    "AUTH-845-A24",
+    "AUTH-845-A27",
+    "AUTH-845-A45",
+    "AUTH-846-A03",
+    "AUTH-846-A12",
+    "AUTH-846-A22",
+    "AUTH-846-A32",
+    "AUTH-846-A41",
+    "AUTH-850",
+    "AUTH-857-A03",
+    "AUTH-885-A03",
+    "AUTH-885-A10",
+    "AUTH-885-A17",
+    "AUTH-885-A22",
+    "AUTH-885-A25",
+    "AUTH-885-A31",
+    "AUTH-885-A34",
+    "AUTH-889",
+    "AUTH-894-A06",
+    "AUTH-894-A11",
+    "AUTH-894-A12",
+    "AUTH-902-A01",
+    "AUTH-902-A11",
+    "AUTH-902-A17",
+    "AUTH-906-A01",
+    "AUTH-906-A06",
+    "AUTH-906-A11",
+    "AUTH-906-A15",
+    "AUTH-906-A20",
+    "AUTH-906-A21",
+    "AUTH-909-A02",
+    "AUTH-909-A12",
+    "AUTH-909-A22",
+    "AUTH-909-A32",
+    "AUTH-909-A42",
+    "AUTH-917",
+    "AUTH-917-A01",
+    "AUTH-917-A04",
+    "AUTH-917-A05",
+    "AUTH-917-A06",
+    "AUTH-917-A09",
+    "AUTH-917-A10",
+    "AUTH-917-A11",
+    "AUTH-917-A14",
+    "AUTH-917-A15",
+    "AUTH-917-A17",
+    "AUTH-917-A20",
+    "AUTH-917-A21",
+    "AUTH-917-A22",
+    "AUTH-917-A24",
+    "AUTH-917-A25",
+    "AUTH-917-A26",
+    "AUTH-919",
+    "AUTH-922-A02",
+    "AUTH-922-A08",
+    "AUTH-925-A13",
+    "AUTH-926",
+    "AUTH-932",
+    "AUTH-932-A02",
+    "AUTH-932-A07",
+    "AUTH-932-A12",
+    "AUTH-932-A18",
+    "AUTH-932-A23",
+    "AUTH-937-A01",
+    "AUTH-937-A08",
+    "AUTH-937-A15",
+    "AUTH-937-A22",
+    "AUTH-937-A29",
+    "AUTH-939-A12",
+    "AUTH-939-A29",
+    "AUTH-954-A15",
+    "AUTH-960",
+    "AUTH-974-A07",
+    "AUTH-987",
+    "AUTH-987-A01",
+    "AUTH-987-A23",
+    "AUTH-987-A24",
+    "COMP-1264",
+    "COMP-1264-A01",
+    "COMP-1264-A02",
+    "COMP-1264-A05",
+    "COMP-1652-A07",
+    "COMP-1745-A03",
+    "COMP-1817-A04",
+    "COMP-2060-A01",
+    "COMP-2131-A09",
+    "COMP-262-A01",
+    "COMP-2639-A04",
+    "COMP-2755-A01",
+    "COMP-2768-A02",
+    "COMP-2876-A05",
+    "COMP-3476-A04",
+    "COMP-3602",
+    "COMP-3602-A01",
+    "COMP-3602-A06",
+    "COMP-3602-A08",
+    "COMP-3602-A10",
+    "COMP-3733-A08",
+    "COMP-3739-A06",
+    "COMP-3739-A07",
+    "COMP-3978-A01",
+    "COMP-3978-A02",
+    "COMP-3981-A06",
+    "COMP-3983",
+    "COMP-3983-A02",
+    "COMP-3983-A07",
+    "COMP-3983-A12",
+    "COMP-3983-A13",
+    "CRYP-1089-A02",
+    "CRYP-1134-A05",
+    "CRYP-1159-A02",
+    "CRYP-1214-A04",
+    "CRYP-1255-A04",
+    "CRYP-1255-A05",
+    "CRYP-1386-A08",
+    "CRYP-1421-A05",
+    "CRYP-1431-A02",
+    "CRYP-1466-A03",
+    "CRYP-1473-A07",
+    "CRYP-1475-A06",
+    "CRYP-1520-A04",
+    "CRYP-1533-A05",
+    "CRYP-1712-A01",
+    "CRYP-1712-A05",
+    "CRYP-172-A07",
+    "CRYP-1732-A01",
+    "CRYP-1751-A10",
+    "CRYP-1751-A11",
+    "CRYP-1788-A11",
+    "CRYP-1864",
+    "CRYP-1864-A02",
+    "CRYP-1927-A12",
+    "CRYP-1942-A10",
+    "CRYP-1983-A01",
+    "CRYP-2101-A02",
+    "CRYP-2173-A01",
+    "CRYP-2287-A01",
+    "CRYP-2308-A04",
+    "CRYP-2363-A05",
+    "CRYP-450-A05",
+    "CRYP-450-A06",
+    "CRYP-450-A40",
+    "CRYP-450-A52",
+    "CRYP-450-A53",
+    "CRYP-626",
+    "CRYP-726-A08",
+    "CRYP-738-A05",
+    "CRYP-773-A09",
+    "CRYP-873-A01",
+    "CRYP-873-A10",
+    "CRYP-880-A04",
+    "CRYP-927-A11",
+    "CRYP-961-A10",
+    "DATA-1191-A10",
+    "DATA-1240-A08",
+    "DATA-1257-A09",
+    "DATA-1499-A03",
+    "DATA-1801-A06",
+    "DATA-1801-A09",
+    "DATA-1881-A07",
+    "DATA-2427-A06",
+    "DATA-2572",
+    "DATA-260-A02",
+    "DATA-260-A08",
+    "DATA-2607-A02",
+    "DATA-2607-A03",
+    "DATA-2607-A05",
+    "DATA-2648-A01",
+    "DATA-2663-A04",
+    "DATA-3292-A01",
+    "DATA-3324-A11",
+    "DATA-3401-A01",
+    "DATA-3649-A14",
+    "DATA-4027-A02",
+    "DATA-4225-A03",
+    "DATA-972-A06",
+    "DATA-972-A12",
+    "FIN-1223-A06",
+    "GOV-1561-A04",
+    "GOV-180-A18",
+    "GOV-2396-A07",
+    "GOV-2718-A03",
+    "GOV-3502-A08",
+    "GOV-413-A18",
+    "GOV-519",
+    "GOV-520-A40",
+    "INC-946-A11",
+    "LOG-1059-A01",
+    "LOG-1737-A01",
+    "MIA-001",
+    "NET-004-A05",
+    "NET-004-A09",
+    "NET-004-A19",
+    "NET-1012-A03",
+    "NET-1012-A06",
+    "NET-1014-A03",
+    "NET-1014-A04",
+    "NET-104-A02",
+    "NET-104-A10",
+    "NET-1277-A06",
+    "NET-1293-A07",
+    "NET-1309-A01",
+    "NET-1343-A05",
+    "NET-149-A01",
+    "NET-149-A11",
+    "NET-1856-A05",
+    "NET-351",
+    "NET-351-A01",
+    "NET-351-A02",
+    "NET-351-A06",
+    "NET-351-A07",
+    "NET-351-A10",
+    "NET-391",
+    "NET-391-A01",
+    "NET-391-A08",
+    "NET-405",
+    "NET-405-A03",
+    "NET-405-A08",
+    "NET-405-A09",
+    "NET-859-A05",
+    "NET-859-A06",
+    "NET-860-A03",
+    "NET-860-A04",
+    "NET-860-A08",
+    "PFI-001-A02",
+    "SEC-1085",
+    "SEC-1144-A03",
+    "SEC-1144-A28",
+    "SEC-1144-A42",
+    "SEC-1144-A56",
+    "SEC-1144-A70",
+    "SEC-1146-A02",
+    "SEC-1146-A07",
+    "SEC-1146-A54",
+    "SEC-1146-A59",
+    "SEC-1153-A12",
+    "SEC-171-A16",
+    "SEC-171-A34",
+    "SEC-2035-A04",
+    "SEC-2153-A03",
+    "SEC-2176-A03",
+    "SEC-2635-A03",
+    "SEC-2786-A04",
+    "SEC-2809-A04",
+    "SEC-2818-A04",
+    "SEC-2818-A05",
+    "SEC-2853-A05",
+    "SEC-2895-A06",
+    "SEC-3175-A11",
+    "SEC-3223",
+    "SEC-3643-A08",
+    "SEC-3709-A07",
+    "SEC-3853",
+    "SEC-3857-A05",
+    "SEC-3857-A08",
+    "SEC-3895-A01",
+    "SEC-3991",
+    "SEC-4090-A05",
+    "SEC-4292-A04",
+    "SEC-4561-A04",
+    "SEC-4593-A05",
+    "SEC-4655",
+    "SEC-4655-A01",
+    "SEC-4655-A02",
+    "SEC-4655-A04",
+    "SEC-4655-A05",
+    "SEC-5595-A09",
+    "SEC-5596-A02",
+    "SEC-5610-A02",
+    "SEC-5767",
+    "SEC-5780",
+    "SEC-5792-A03",
+    "SEC-5792-A04",
+    "SEC-6770",
+    "SEC-6784-A06",
+    "SEC-6830-A05",
+    "SEC-7442-A06",
+    "SEC-8016-A03",
+    "SEC-8016-A09",
+    "SEC-8138-A03",
+    "SEC-8257-A10",
+    "SEC-8325",
+    "SEC-9212-A02"
+   ],
+   "member_count": 842,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.85,
+    "source_meta_cluster": "M3",
+    "cluster_size": 376,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "evidence_merged_from": [
+    "auth_inventory",
+    "auth_suitability_assessment",
+    "auth_risk_assessment"
+   ]
+  },
+  {
+   "id": "auth_exceptions_documented",
+   "name": "Ausnahmen von Authentifizierungspflicht dokumentieren",
+   "description": "Erlaubte Aktionen ohne Identifikation/Authentifizierung sowie Ausnahmen sind explizit zu dokumentieren und zu begruenden.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": false,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "AC-14",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M3",
+    "M1",
+    "M6",
+    "M107"
+   ],
+   "member_controls": [
+    "ACC-001-A14",
+    "ACC-001-A17",
+    "ACC-001-A29",
+    "ACC-0383-A06",
+    "ACC-0384-A02",
+    "ACC-0384-A03",
+    "ACC-0410-A03",
+    "ACC-082-A06",
+    "ACC-082-A07",
+    "ACC-082-A08",
+    "ACC-082-A09",
+    "ACC-082-A15",
+    "ACC-082-A16",
+    "ACC-082-A17",
+    "ACC-082-A18",
+    "ACC-320",
+    "ACC-320-A01",
+    "ACC-320-A02",
+    "ACC-320-A03",
+    "ACC-320-A04",
+    "ACC-320-A06",
+    "ACC-320-A09",
+    "ACC-320-A10",
+    "ACC-320-A11",
+    "ACC-320-A12",
+    "ACC-320-A13",
+    "ACC-320-A16",
+    "ACC-320-A17",
+    "ACC-320-A18",
+    "ACC-320-A19",
+    "ACC-320-A20",
+    "ACC-320-A21",
+    "ACC-320-A24",
+    "ACC-320-A26",
+    "ACC-320-A28",
+    "ACC-320-A29",
+    "ACC-320-A34",
+    "ACC-320-A35",
+    "ACC-320-A36",
+    "ACC-320-A37",
+    "ACC-320-A38",
+    "ACC-320-A40",
+    "ACC-320-A41",
+    "ACC-320-A42",
+    "ACC-320-A43",
+    "ACC-320-A44",
+    "ACC-320-A45",
+    "ACC-320-A48",
+    "ACC-327-A18",
+    "ACC-327-A60",
+    "ACC-427",
+    "ACC-427-A01",
+    "ACC-427-A02",
+    "ACC-427-A03",
+    "ACC-427-A11",
+    "ACC-427-A12",
+    "ACC-478-A08",
+    "ACC-490-A04",
+    "ACC-490-A09",
+    "ACC-499-A05",
+    "ACC-499-A07",
+    "ACC-504-A09",
+    "ACC-508-A06",
+    "ACC-518-A06",
+    "ACC-559-A04",
+    "ACC-567-A10",
+    "ACC-578-A07",
+    "ACC-607",
+    "ACC-673-A10",
+    "ACC-741-A03",
+    "ACL-004-A04",
+    "AI-052-A26",
+    "AI-052-A27",
+    "AI-052-A28",
+    "AI-052-A29",
+    "AI-1012-A03",
+    "AI-1012-A04",
+    "AI-1012-A05",
+    "AI-1012-A07",
+    "AI-1027-A07",
+    "AI-1236-A04",
+    "AI-1408-A01",
+    "AI-1417-A06",
+    "AI-1660-A12",
+    "AI-1715-A08",
+    "AI-797-A09",
+    "AI-797-A18",
+    "AI-797-A36",
+    "AI-797-A45",
+    "AI-924-A13",
+    "AI-924-A14",
+    "AI-997-A01",
+    "AUTH-008-A25",
+    "AUTH-018",
+    "AUTH-018-A18",
+    "AUTH-032",
+    "AUTH-043",
+    "AUTH-045",
+    "AUTH-067-A12",
+    "AUTH-1004-A01",
+    "AUTH-1008",
+    "AUTH-1009-A01",
+    "AUTH-1009-A03",
+    "AUTH-1011-A01",
+    "AUTH-1026",
+    "AUTH-1026-A01",
+    "AUTH-1048-A03",
+    "AUTH-1048-A69",
+    "AUTH-1049-A56",
+    "AUTH-1050-A13",
+    "AUTH-1061-A75",
+    "AUTH-1084",
+    "AUTH-1087-A04",
+    "AUTH-1095-A02",
+    "AUTH-1096",
+    "AUTH-1096-A01",
+    "AUTH-1102-A08",
+    "AUTH-1102-A14",
+    "AUTH-1110-A03",
+    "AUTH-112-A04",
+    "AUTH-112-A17",
+    "AUTH-1283-A02",
+    "AUTH-1288",
+    "AUTH-1293",
+    "AUTH-1296-A05",
+    "AUTH-1298-A02",
+    "AUTH-1300-A05",
+    "AUTH-1303-A03",
+    "AUTH-1313-A01",
+    "AUTH-1313-A04",
+    "AUTH-1314-A03",
+    "AUTH-1426-A05",
+    "AUTH-1426-A06",
+    "AUTH-1437",
+    "AUTH-1437-A01",
+    "AUTH-1437-A06",
+    "AUTH-1445-A02",
+    "AUTH-1445-A04",
+    "AUTH-1455",
+    "AUTH-1455-A01",
+    "AUTH-1455-A07",
+    "AUTH-1463-A02",
+    "AUTH-1463-A04",
+    "AUTH-1463-A09",
+    "AUTH-1464-A04",
+    "AUTH-1464-A05",
+    "AUTH-1464-A07",
+    "AUTH-1466-A04",
+    "AUTH-1466-A09",
+    "AUTH-1468-A01",
+    "AUTH-1468-A06",
+    "AUTH-1524",
+    "AUTH-1524-A01",
+    "AUTH-1524-A02",
+    "AUTH-1524-A04",
+    "AUTH-1529-A04",
+    "AUTH-1529-A06",
+    "AUTH-1535-A02",
+    "AUTH-1538-A01",
+    "AUTH-1538-A10",
+    "AUTH-1576-A01",
+    "AUTH-1579-A01",
+    "AUTH-1623-A04",
+    "AUTH-1623-A07",
+    "AUTH-1623-A08",
+    "AUTH-1624-A11",
+    "AUTH-1633-A01",
+    "AUTH-1634-A06",
+    "AUTH-1635-A06",
+    "AUTH-1640-A03",
+    "AUTH-1652-A07",
+    "AUTH-1654",
+    "AUTH-1654-A01",
+    "AUTH-1654-A02",
+    "AUTH-1654-A03",
+    "AUTH-1654-A05",
+    "AUTH-1669-A05",
+    "AUTH-1669-A06",
+    "AUTH-1669-A07",
+    "AUTH-1675-A07",
+    "AUTH-1678-A02",
+    "AUTH-1679",
+    "AUTH-1679-A02",
+    "AUTH-1694-A06",
+    "AUTH-1695",
+    "AUTH-1702-A03",
+    "AUTH-1706-A05",
+    "AUTH-1706-A09",
+    "AUTH-1709-A05",
+    "AUTH-1711-A02",
+    "AUTH-1711-A04",
+    "AUTH-1711-A06",
+    "AUTH-1711-A07",
+    "AUTH-1711-A10",
+    "AUTH-1721-A03",
+    "AUTH-1742-A01",
+    "AUTH-1742-A07",
+    "AUTH-1752-A10",
+    "AUTH-1759-A05",
+    "AUTH-1790",
+    "AUTH-1809",
+    "AUTH-1809-A02",
+    "AUTH-1809-A06",
+    "AUTH-1810-A01",
+    "AUTH-1812",
+    "AUTH-1812-A01",
+    "AUTH-1812-A02",
+    "AUTH-1814-A01",
+    "AUTH-1818-A11",
+    "AUTH-1820-A06",
+    "AUTH-1823",
+    "AUTH-1823-A01",
+    "AUTH-1823-A02",
+    "AUTH-1827-A04",
+    "AUTH-1831-A05",
+    "AUTH-1859",
+    "AUTH-1860-A05",
+    "AUTH-1860-A08",
+    "AUTH-1860-A09",
+    "AUTH-1862-A09",
+    "AUTH-1865-A12",
+    "AUTH-187-A11",
+    "AUTH-1877-A08",
+    "AUTH-1909-A02",
+    "AUTH-1909-A07",
+    "AUTH-1909-A08",
+    "AUTH-1910-A05",
+    "AUTH-1910-A11",
+    "AUTH-1912-A07",
+    "AUTH-1917-A04",
+    "AUTH-1917-A08",
+    "AUTH-1936-A11",
+    "AUTH-1940-A04",
+    "AUTH-1952",
+    "AUTH-1952-A02",
+    "AUTH-1952-A03",
+    "AUTH-1952-A05",
+    "AUTH-1952-A06",
+    "AUTH-1952-A07",
+    "AUTH-1952-A08",
+    "AUTH-1959",
+    "AUTH-1959-A02",
+    "AUTH-2121-A04",
+    "AUTH-2280",
+    "AUTH-2280-A01",
+    "AUTH-2315-A04",
+    "AUTH-2331-A08",
+    "AUTH-2333-A01",
+    "AUTH-2333-A02",
+    "AUTH-2338-A06",
+    "AUTH-2338-A09",
+    "AUTH-2345-A03",
+    "AUTH-2345-A04",
+    "AUTH-2368-A03",
+    "AUTH-2372-A01",
+    "AUTH-2382-A01",
+    "AUTH-2399",
+    "AUTH-2399-A04",
+    "AUTH-2399-A07",
+    "AUTH-2403",
+    "AUTH-2403-A03",
+    "AUTH-2403-A06",
+    "AUTH-2405-A05",
+    "AUTH-2405-A06",
+    "AUTH-2416-A01",
+    "AUTH-2416-A03",
+    "AUTH-2417-A04",
+    "AUTH-2417-A11",
+    "AUTH-2417-A13",
+    "AUTH-2444-A01",
+    "AUTH-2444-A07",
+    "AUTH-2451-A04",
+    "AUTH-2464-A03",
+    "AUTH-2678",
+    "AUTH-2678-A01",
+    "AUTH-2779",
+    "AUTH-2793",
+    "AUTH-2793-A02",
+    "AUTH-2801",
+    "AUTH-2805-A06",
+    "AUTH-2805-A11",
+    "AUTH-2817",
+    "AUTH-2850",
+    "AUTH-2851",
+    "AUTH-2851-A10",
+    "AUTH-2852",
+    "AUTH-2873-A01",
+    "AUTH-2873-A05",
+    "AUTH-2877-A01",
+    "AUTH-2877-A05",
+    "AUTH-2879",
+    "AUTH-2880-A01",
+    "AUTH-2883",
+    "AUTH-2883-A01",
+    "AUTH-2883-A02",
+    "AUTH-2921-A12",
+    "AUTH-2935-A06",
+    "AUTH-2939-A04",
+    "AUTH-2959-A03",
+    "AUTH-2960-A08",
+    "AUTH-2967-A05",
+    "AUTH-2979-A07",
+    "AUTH-2980",
+    "AUTH-2989-A01",
+    "AUTH-2993-A03",
+    "AUTH-3004",
+    "AUTH-3013-A02",
+    "AUTH-3045",
+    "AUTH-3045-A01",
+    "AUTH-3045-A02",
+    "AUTH-3045-A03",
+    "AUTH-3045-A04",
+    "AUTH-3065-A02",
+    "AUTH-3065-A03",
+    "AUTH-3065-A04",
+    "AUTH-3068-A06",
+    "AUTH-3071-A01",
+    "AUTH-3071-A04",
+    "AUTH-3071-A09",
+    "AUTH-3073",
+    "AUTH-3073-A02",
+    "AUTH-3073-A03",
+    "AUTH-3073-A05",
+    "AUTH-3075-A01",
+    "AUTH-3075-A02",
+    "AUTH-3075-A03",
+    "AUTH-3075-A05",
+    "AUTH-3082-A10",
+    "AUTH-3150",
+    "AUTH-3150-A01",
+    "AUTH-3150-A04",
+    "AUTH-3150-A07",
+    "AUTH-3150-A09",
+    "AUTH-3151",
+    "AUTH-3151-A01",
+    "AUTH-3151-A05",
+    "AUTH-3151-A07",
+    "AUTH-3151-A09",
+    "AUTH-3151-A10",
+    "AUTH-3154",
+    "AUTH-3154-A01",
+    "AUTH-3154-A02",
+    "AUTH-3154-A08",
+    "AUTH-3155",
+    "AUTH-3155-A04",
+    "AUTH-3161-A04",
+    "AUTH-3164-A02",
+    "AUTH-3164-A05",
+    "AUTH-3164-A07",
+    "AUTH-3164-A12",
+    "AUTH-3166-A01",
+    "AUTH-3166-A02",
+    "AUTH-3170",
+    "AUTH-3170-A01",
+    "AUTH-3170-A02",
+    "AUTH-3230-A01",
+    "AUTH-3266-A07",
+    "AUTH-3279-A03",
+    "AUTH-3314-A01",
+    "AUTH-3314-A02",
+    "AUTH-3314-A03",
+    "AUTH-3394-A04",
+    "AUTH-3396-A04",
+    "AUTH-3399",
+    "AUTH-3399-A03",
+    "AUTH-3460-A02",
+    "AUTH-3460-A04",
+    "AUTH-3460-A08",
+    "AUTH-3461-A02",
+    "AUTH-3461-A03",
+    "AUTH-3461-A05",
+    "AUTH-3461-A06",
+    "AUTH-3486-A10",
+    "AUTH-3541-A05",
+    "AUTH-3541-A06",
+    "AUTH-3542-A06",
+    "AUTH-3547-A01",
+    "AUTH-3548-A02",
+    "AUTH-3549",
+    "AUTH-3552-A05",
+    "AUTH-3554-A02",
+    "AUTH-3554-A03",
+    "AUTH-3556-A03",
+    "AUTH-3558-A04",
+    "AUTH-3595",
+    "AUTH-3595-A06",
+    "AUTH-3595-A08",
+    "AUTH-3596",
+    "AUTH-3596-A04",
+    "AUTH-3596-A06",
+    "AUTH-3597",
+    "AUTH-3597-A03",
+    "AUTH-3597-A04",
+    "AUTH-3597-A05",
+    "AUTH-3597-A06",
+    "AUTH-3599-A02",
+    "AUTH-3599-A04",
+    "AUTH-3624",
+    "AUTH-3624-A01",
+    "AUTH-3624-A02",
+    "AUTH-3638",
+    "AUTH-3641",
+    "AUTH-3677-A06",
+    "AUTH-3751-A08",
+    "AUTH-3825-A01",
+    "AUTH-3825-A06",
+    "AUTH-384-A07",
+    "AUTH-384-A10",
+    "AUTH-3887-A07",
+    "AUTH-3922",
+    "AUTH-3935",
+    "AUTH-3935-A10",
+    "AUTH-3935-A11",
+    "AUTH-3935-A12",
+    "AUTH-3935-A13",
+    "AUTH-3935-A14",
+    "AUTH-3935-A15",
+    "AUTH-3935-A16",
+    "AUTH-3935-A17",
+    "AUTH-3935-A18",
+    "AUTH-3935-A19",
+    "AUTH-3948-A04",
+    "AUTH-3951-A06",
+    "AUTH-3951-A07",
+    "AUTH-3955-A01",
+    "AUTH-3958-A02",
+    "AUTH-3960-A02",
+    "AUTH-3960-A03",
+    "AUTH-3960-A04",
+    "AUTH-3964-A06",
+    "AUTH-3964-A07",
+    "AUTH-3993",
+    "AUTH-3993-A01",
+    "AUTH-3993-A02",
+    "AUTH-3993-A03",
+    "AUTH-4027-A02",
+    "AUTH-4030-A03",
+    "AUTH-4031-A08",
+    "AUTH-4032-A02",
+    "AUTH-4036-A04",
+    "AUTH-4043-A08",
+    "AUTH-4054-A07",
+    "AUTH-4085",
+    "AUTH-4085-A01",
+    "AUTH-4095-A17",
+    "AUTH-4135",
+    "AUTH-494-A02",
+    "AUTH-497",
+    "AUTH-497-A03",
+    "AUTH-505-A04",
+    "AUTH-505-A06",
+    "AUTH-530-A01",
+    "AUTH-530-A05",
+    "AUTH-530-A08",
+    "AUTH-530-A11",
+    "AUTH-548",
+    "AUTH-548-A01",
+    "AUTH-548-A03",
+    "AUTH-559",
+    "AUTH-559-A01",
+    "AUTH-559-A03",
+    "AUTH-559-A04",
+    "AUTH-559-A05",
+    "AUTH-559-A09",
+    "AUTH-559-A12",
+    "AUTH-559-A13",
+    "AUTH-559-A14",
+    "AUTH-559-A15",
+    "AUTH-577",
+    "AUTH-577-A05",
+    "AUTH-582",
+    "AUTH-582-A01",
+    "AUTH-584",
+    "AUTH-584-A01",
+    "AUTH-584-A02",
+    "AUTH-584-A06",
+    "AUTH-584-A08",
+    "AUTH-584-A09",
+    "AUTH-592",
+    "AUTH-592-A02",
+    "AUTH-595",
+    "AUTH-595-A05",
+    "AUTH-610",
+    "AUTH-610-A06",
+    "AUTH-615",
+    "AUTH-615-A01",
+    "AUTH-615-A02",
+    "AUTH-615-A03",
+    "AUTH-615-A04",
+    "AUTH-615-A05",
+    "AUTH-615-A06",
+    "AUTH-616",
+    "AUTH-616-A01",
+    "AUTH-616-A02",
+    "AUTH-616-A03",
+    "AUTH-616-A05",
+    "AUTH-616-A06",
+    "AUTH-616-A12",
+    "AUTH-616-A13",
+    "AUTH-617",
+    "AUTH-623",
+    "AUTH-623-A01",
+    "AUTH-623-A02",
+    "AUTH-623-A03",
+    "AUTH-623-A04",
+    "AUTH-623-A05",
+    "AUTH-623-A06",
+    "AUTH-623-A07",
+    "AUTH-623-A08",
+    "AUTH-637-A08",
+    "AUTH-637-A09",
+    "AUTH-637-A30",
+    "AUTH-646-A04",
+    "AUTH-655-A10",
+    "AUTH-655-A11",
+    "AUTH-694",
+    "AUTH-694-A02",
+    "AUTH-694-A03",
+    "AUTH-700-A02",
+    "AUTH-710-A04",
+    "AUTH-710-A05",
+    "AUTH-710-A06",
+    "AUTH-732-A01",
+    "AUTH-732-A04",
+    "AUTH-732-A05",
+    "AUTH-743-A04",
+    "AUTH-743-A10",
+    "AUTH-745",
+    "AUTH-745-A01",
+    "AUTH-748-A05",
+    "AUTH-748-A06",
+    "AUTH-748-A10",
+    "AUTH-748-A11",
+    "AUTH-751-A05",
+    "AUTH-751-A06",
+    "AUTH-751-A07",
+    "AUTH-751-A08",
+    "AUTH-752",
+    "AUTH-752-A01",
+    "AUTH-752-A07",
+    "AUTH-762-A11",
+    "AUTH-774-A01",
+    "AUTH-775-A10",
+    "AUTH-784-A03",
+    "AUTH-784-A08",
+    "AUTH-784-A09",
+    "AUTH-785-A01",
+    "AUTH-803-A05",
+    "AUTH-803-A07",
+    "AUTH-804-A05",
+    "AUTH-804-A06",
+    "AUTH-818-A02",
+    "AUTH-822-A04",
+    "AUTH-822-A05",
+    "AUTH-822-A06",
+    "AUTH-822-A08",
+    "AUTH-824-A15",
+    "AUTH-825-A05",
+    "AUTH-828-A05",
+    "AUTH-828-A09",
+    "AUTH-828-A10",
+    "AUTH-836",
+    "AUTH-836-A01",
+    "AUTH-836-A02",
+    "AUTH-836-A04",
+    "AUTH-836-A05",
+    "AUTH-836-A06",
+    "AUTH-836-A07",
+    "AUTH-836-A08",
+    "AUTH-836-A09",
+    "AUTH-836-A11",
+    "AUTH-836-A12",
+    "AUTH-836-A17",
+    "AUTH-836-A18",
+    "AUTH-837-A07",
+    "AUTH-838-A10",
+    "AUTH-838-A17",
+    "AUTH-838-A26",
+    "AUTH-838-A36",
+    "AUTH-838-A44",
+    "AUTH-845-A01",
+    "AUTH-845-A07",
+    "AUTH-845-A13",
+    "AUTH-845-A19",
+    "AUTH-845-A24",
+    "AUTH-845-A27",
+    "AUTH-845-A29",
+    "AUTH-845-A39",
+    "AUTH-845-A45",
+    "AUTH-845-A55",
+    "AUTH-846-A03",
+    "AUTH-846-A09",
+    "AUTH-846-A12",
+    "AUTH-846-A19",
+    "AUTH-846-A22",
+    "AUTH-846-A29",
+    "AUTH-846-A32",
+    "AUTH-846-A38",
+    "AUTH-846-A41",
+    "AUTH-846-A48",
+    "AUTH-849-A26",
+    "AUTH-849-A27",
+    "AUTH-849-A31",
+    "AUTH-849-A32",
+    "AUTH-849-A43",
+    "AUTH-849-A44",
+    "AUTH-849-A46",
+    "AUTH-849-A47",
+    "AUTH-849-A58",
+    "AUTH-849-A59",
+    "AUTH-851-A01",
+    "AUTH-851-A02",
+    "AUTH-851-A46",
+    "AUTH-885-A03",
+    "AUTH-885-A10",
+    "AUTH-885-A17",
+    "AUTH-885-A22",
+    "AUTH-885-A31",
+    "AUTH-888-A30",
+    "AUTH-888-A37",
+    "AUTH-894-A06",
+    "AUTH-894-A11",
+    "AUTH-894-A12",
+    "AUTH-902-A01",
+    "AUTH-902-A11",
+    "AUTH-902-A17",
+    "AUTH-905-A04",
+    "AUTH-905-A09",
+    "AUTH-905-A14",
+    "AUTH-905-A17",
+    "AUTH-905-A22",
+    "AUTH-909-A02",
+    "AUTH-909-A12",
+    "AUTH-909-A22",
+    "AUTH-909-A32",
+    "AUTH-909-A42",
+    "AUTH-913-A05",
+    "AUTH-917",
+    "AUTH-917-A01",
+    "AUTH-917-A04",
+    "AUTH-917-A05",
+    "AUTH-917-A06",
+    "AUTH-917-A09",
+    "AUTH-917-A10",
+    "AUTH-917-A11",
+    "AUTH-917-A14",
+    "AUTH-917-A15",
+    "AUTH-917-A17",
+    "AUTH-917-A20",
+    "AUTH-917-A21",
+    "AUTH-917-A22",
+    "AUTH-917-A24",
+    "AUTH-917-A25",
+    "AUTH-917-A26",
+    "AUTH-922-A02",
+    "AUTH-922-A08",
+    "AUTH-925-A05",
+    "AUTH-925-A06",
+    "AUTH-925-A12",
+    "AUTH-928-A07",
+    "AUTH-928-A13",
+    "AUTH-928-A19",
+    "AUTH-928-A25",
+    "AUTH-928-A30",
+    "AUTH-932",
+    "AUTH-937-A01",
+    "AUTH-937-A08",
+    "AUTH-937-A15",
+    "AUTH-937-A22",
+    "AUTH-937-A29",
+    "AUTH-941-A04",
+    "AUTH-941-A05",
+    "AUTH-941-A10",
+    "AUTH-941-A11",
+    "AUTH-941-A17",
+    "AUTH-941-A18",
+    "AUTH-941-A23",
+    "AUTH-941-A24",
+    "AUTH-954-A15",
+    "AUTH-974-A07",
+    "AUTH-986-A08",
+    "AUTH-986-A09",
+    "AUTH-989-A18",
+    "COMP-1264-A01",
+    "COMP-1264-A02",
+    "COMP-1264-A04",
+    "COMP-1264-A05",
+    "COMP-1883-A03",
+    "COMP-1904-A04",
+    "COMP-1904-A06",
+    "COMP-1904-A07",
+    "COMP-1960-A06",
+    "COMP-2029-A04",
+    "COMP-2129-A04",
+    "COMP-2131-A09",
+    "COMP-2639-A04",
+    "COMP-3435-A05",
+    "COMP-3602",
+    "COMP-3602-A01",
+    "COMP-3602-A08",
+    "COMP-3602-A10",
+    "COMP-3733-A03",
+    "COMP-3983-A02",
+    "COMP-3983-A04",
+    "CRYP-1097-A09",
+    "CRYP-1124-A05",
+    "CRYP-1210-A09",
+    "CRYP-1299-A09",
+    "CRYP-1306-A07",
+    "CRYP-1372-A05",
+    "CRYP-1386-A08",
+    "CRYP-1393-A03",
+    "CRYP-1433-A07",
+    "CRYP-1466-A03",
+    "CRYP-1466-A05",
+    "CRYP-1712-A15",
+    "CRYP-1725-A02",
+    "CRYP-1750-A09",
+    "CRYP-1761-A01",
+    "CRYP-1864",
+    "CRYP-1864-A02",
+    "CRYP-1864-A05",
+    "CRYP-1983-A01",
+    "CRYP-2142-A06",
+    "CRYP-2148-A06",
+    "CRYP-2179-A09",
+    "CRYP-2334",
+    "CRYP-447-A16",
+    "CRYP-450-A05",
+    "CRYP-450-A06",
+    "CRYP-450-A40",
+    "CRYP-450-A52",
+    "CRYP-450-A53",
+    "CRYP-626",
+    "CRYP-637-A10",
+    "CRYP-713-A07",
+    "CRYP-738-A06",
+    "CRYP-790",
+    "DATA-1191-A10",
+    "DATA-1257-A05",
+    "DATA-1257-A09",
+    "DATA-1801-A06",
+    "DATA-2493-A12",
+    "DATA-2510-A07",
+    "DATA-260-A02",
+    "DATA-260-A08",
+    "DATA-2607-A05",
+    "DATA-2648-A01",
+    "DATA-3292-A01",
+    "DATA-3372-A07",
+    "DATA-3376-A01",
+    "DATA-3376-A06",
+    "DATA-3401-A01",
+    "DATA-3613-A01",
+    "DATA-3754-A03",
+    "DATA-4225-A04",
+    "DATA-4317-A05",
+    "DATA-972-A06",
+    "DATA-972-A12",
+    "FIN-1223-A06",
+    "GOV-1196-A04",
+    "GOV-180-A06",
+    "GOV-180-A12",
+    "GOV-2076-A13",
+    "GOV-3110-A02",
+    "GOV-413-A18",
+    "GOV-519",
+    "GOV-519-A11",
+    "GOV-519-A35",
+    "GOV-520-A40",
+    "INC-1352-A03",
+    "LOG-053-A07",
+    "LOG-107-A02",
+    "LOG-1742-A13",
+    "LOG-1748-A01",
+    "LOG-1767-A02",
+    "LOG-1861-A06",
+    "LOG-705-A01",
+    "LOG-735-A17",
+    "LOG-735-A18",
+    "LOG-745-A44",
+    "LOG-745-A54",
+    "LOG-774-A01",
+    "LOG-774-A15",
+    "LOG-774-A22",
+    "LOG-774-A29",
+    "MIA-001",
+    "NET-1014-A03",
+    "NET-1293-A02",
+    "NET-351",
+    "NET-351-A01",
+    "NET-351-A02",
+    "NET-351-A06",
+    "NET-351-A07",
+    "NET-391",
+    "NET-391-A01",
+    "NET-391-A08",
+    "NET-405",
+    "NET-405-A03",
+    "NET-405-A08",
+    "NET-405-A09",
+    "NET-506-A15",
+    "NET-506-A60",
+    "NET-857-A06",
+    "NET-857-A12",
+    "NET-860-A06",
+    "NET-860-A09",
+    "NET-980-A07",
+    "PFI-001-A02",
+    "SEC-052-A06",
+    "SEC-093-A05",
+    "SEC-093-A06",
+    "SEC-1144-A03",
+    "SEC-1144-A28",
+    "SEC-1144-A42",
+    "SEC-1144-A56",
+    "SEC-1144-A70",
+    "SEC-1146-A02",
+    "SEC-1146-A07",
+    "SEC-1146-A54",
+    "SEC-1146-A59",
+    "SEC-1153-A12",
+    "SEC-2635-A03",
+    "SEC-2643-A15",
+    "SEC-2662-A07",
+    "SEC-2662-A13",
+    "SEC-2738-A06",
+    "SEC-2809",
+    "SEC-2809-A02",
+    "SEC-2809-A05",
+    "SEC-2809-A09",
+    "SEC-2818-A05",
+    "SEC-2899-A04",
+    "SEC-3195-A04",
+    "SEC-3383-A03",
+    "SEC-3383-A08",
+    "SEC-3732-A08",
+    "SEC-3740-A03",
+    "SEC-3935-A02",
+    "SEC-3965-A02",
+    "SEC-4292-A12",
+    "SEC-4295",
+    "SEC-4513-A07",
+    "SEC-4560-A03",
+    "SEC-4655-A03",
+    "SEC-4655-A04",
+    "SEC-5435-A03",
+    "SEC-5505-A05",
+    "SEC-5595-A13",
+    "SEC-5767-A01",
+    "SEC-5792-A03",
+    "SEC-6770",
+    "SEC-6784-A08",
+    "SEC-6784-A10",
+    "SEC-6804-A01",
+    "SEC-6804-A02",
+    "SEC-6830-A05",
+    "SEC-6833-A07",
+    "SEC-7984-A07",
+    "SEC-7994-A06",
+    "SEC-8102-A02",
+    "SEC-8121-A05",
+    "SEC-8138-A03",
+    "SEC-9212-A01",
+    "SEC-9212-A02"
+   ],
+   "member_count": 865,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M6",
+    "cluster_size": 243,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "mfa_required",
+   "name": "Multi-Faktor-Authentifizierung umsetzen",
+   "description": "Multi-Faktor-Authentifizierung ist fuer Benutzerzugriffe umzusetzen, insbesondere wo erhoehtes Risiko besteht.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "mfa",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B",
+     "role": "best_practice"
+    },
+    {
+     "source": "Out-of-Band-Authentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "out_of_band_authentication"
+    },
+    {
+     "source": "Hardware-basierte Authentifizierung (AAL3)",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "hardware_authenticators"
+    },
+    {
+     "source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "email_authentication"
+    }
+   ],
+   "member_review_units": [
+    "M1",
+    "M94",
+    "M95",
+    "M38",
+    "M110",
+    "M113",
+    "M126"
+   ],
+   "member_controls": [
+    "ACC-001-A14",
+    "ACC-001-A17",
+    "ACC-001-A29",
+    "ACC-0410-A03",
+    "ACC-082-A08",
+    "ACC-082-A09",
+    "ACC-082-A17",
+    "ACC-082-A18",
+    "ACC-320-A16",
+    "ACC-320-A18",
+    "ACC-320-A24",
+    "ACC-320-A34",
+    "ACC-320-A40",
+    "ACC-320-A48",
+    "ACC-478-A08",
+    "ACC-499-A07",
+    "ACC-508-A06",
+    "ACC-559-A04",
+    "ACC-578-A07",
+    "ACC-607",
+    "AI-052-A28",
+    "AI-052-A29",
+    "AI-1573-A01",
+    "AI-797-A09",
+    "AI-797-A18",
+    "AI-797-A36",
+    "AI-797-A45",
+    "AI-924-A13",
+    "AI-924-A14",
+    "AUTH-008-A25",
+    "AUTH-1049-A56",
+    "AUTH-1050-A13",
+    "AUTH-1061-A75",
+    "AUTH-1084",
+    "AUTH-1095-A02",
+    "AUTH-1096",
+    "AUTH-1096-A01",
+    "AUTH-1102-A14",
+    "AUTH-112-A04",
+    "AUTH-112-A17",
+    "AUTH-1288",
+    "AUTH-1300-A05",
+    "AUTH-1303-A05",
+    "AUTH-1313-A04",
+    "AUTH-1314-A03",
+    "AUTH-1445-A02",
+    "AUTH-1463-A04",
+    "AUTH-1463-A09",
+    "AUTH-1466-A09",
+    "AUTH-1468-A01",
+    "AUTH-1468-A06",
+    "AUTH-1524-A04",
+    "AUTH-1529-A04",
+    "AUTH-1669-A05",
+    "AUTH-1669-A06",
+    "AUTH-1679",
+    "AUTH-1679-A02",
+    "AUTH-1711-A06",
+    "AUTH-1742-A01",
+    "AUTH-1742-A07",
+    "AUTH-1759-A05",
+    "AUTH-1790",
+    "AUTH-1790-A04",
+    "AUTH-1818-A11",
+    "AUTH-1860-A05",
+    "AUTH-1860-A08",
+    "AUTH-1860-A09",
+    "AUTH-1862-A09",
+    "AUTH-1865-A12",
+    "AUTH-187-A11",
+    "AUTH-1901-A05",
+    "AUTH-1910-A05",
+    "AUTH-1912-A07",
+    "AUTH-1940-A04",
+    "AUTH-2121-A04",
+    "AUTH-2315-A04",
+    "AUTH-2338-A09",
+    "AUTH-2399-A07",
+    "AUTH-2405-A06",
+    "AUTH-2452-A07",
+    "AUTH-2473-A01",
+    "AUTH-2473-A02",
+    "AUTH-2484-A01",
+    "AUTH-2548",
+    "AUTH-2551",
+    "AUTH-2552-A03",
+    "AUTH-2689-A02",
+    "AUTH-2689-A04",
+    "AUTH-2793",
+    "AUTH-2793-A02",
+    "AUTH-2805-A06",
+    "AUTH-2805-A11",
+    "AUTH-2850",
+    "AUTH-2851-A10",
+    "AUTH-2873-A04",
+    "AUTH-2879",
+    "AUTH-2924",
+    "AUTH-2945-A11",
+    "AUTH-2968",
+    "AUTH-2979-A07",
+    "AUTH-2996",
+    "AUTH-3004",
+    "AUTH-3021-A07",
+    "AUTH-3045-A04",
+    "AUTH-3068-A06",
+    "AUTH-3082-A10",
+    "AUTH-3165-A02",
+    "AUTH-3166-A07",
+    "AUTH-3258-A09",
+    "AUTH-3266-A07",
+    "AUTH-3281",
+    "AUTH-3284-A01",
+    "AUTH-3284-A04",
+    "AUTH-3284-A05",
+    "AUTH-3333-A06",
+    "AUTH-3334",
+    "AUTH-3334-A05",
+    "AUTH-3452-A01",
+    "AUTH-3452-A05",
+    "AUTH-3457",
+    "AUTH-3460-A04",
+    "AUTH-3461-A03",
+    "AUTH-3461-A05",
+    "AUTH-3469-A03",
+    "AUTH-3486-A10",
+    "AUTH-3541-A06",
+    "AUTH-3542-A06",
+    "AUTH-3547",
+    "AUTH-3554-A02",
+    "AUTH-3562-A01",
+    "AUTH-3595",
+    "AUTH-3595-A02",
+    "AUTH-3595-A06",
+    "AUTH-3595-A08",
+    "AUTH-3596",
+    "AUTH-3596-A04",
+    "AUTH-3597-A06",
+    "AUTH-3599-A04",
+    "AUTH-3638",
+    "AUTH-3652-A11",
+    "AUTH-3653",
+    "AUTH-3659-A01",
+    "AUTH-3677-A04",
+    "AUTH-3705-A02",
+    "AUTH-3751-A08",
+    "AUTH-3825-A08",
+    "AUTH-3887-A01",
+    "AUTH-3908-A05",
+    "AUTH-3915",
+    "AUTH-3915-A01",
+    "AUTH-3915-A03",
+    "AUTH-3921",
+    "AUTH-3929-A01",
+    "AUTH-3947",
+    "AUTH-3948-A04",
+    "AUTH-3958-A02",
+    "AUTH-3964-A07",
+    "AUTH-3968-A09",
+    "AUTH-3977-A02",
+    "AUTH-3993",
+    "AUTH-3993-A02",
+    "AUTH-4027-A02",
+    "AUTH-4030-A03",
+    "AUTH-4031-A08",
+    "AUTH-4032-A02",
+    "AUTH-4036-A04",
+    "AUTH-4082-A10",
+    "AUTH-4083-A05",
+    "AUTH-4085",
+    "AUTH-4085-A01",
+    "AUTH-4095-A17",
+    "AUTH-494-A02",
+    "AUTH-500-A03",
+    "AUTH-505-A06",
+    "AUTH-538-A04",
+    "AUTH-544",
+    "AUTH-544-A06",
+    "AUTH-544-A07",
+    "AUTH-559-A04",
+    "AUTH-559-A13",
+    "AUTH-572",
+    "AUTH-572-A02",
+    "AUTH-572-A07",
+    "AUTH-577-A04",
+    "AUTH-584-A06",
+    "AUTH-615-A06",
+    "AUTH-623-A07",
+    "AUTH-623-A08",
+    "AUTH-637-A31",
+    "AUTH-648-A02",
+    "AUTH-661-A09",
+    "AUTH-661-A22",
+    "AUTH-710-A06",
+    "AUTH-732-A01",
+    "AUTH-743-A04",
+    "AUTH-743-A10",
+    "AUTH-751-A05",
+    "AUTH-751-A06",
+    "AUTH-751-A07",
+    "AUTH-751-A08",
+    "AUTH-762-A11",
+    "AUTH-774-A01",
+    "AUTH-784-A08",
+    "AUTH-784-A09",
+    "AUTH-785-A02",
+    "AUTH-803",
+    "AUTH-803-A03",
+    "AUTH-803-A06",
+    "AUTH-803-A08",
+    "AUTH-804-A05",
+    "AUTH-807",
+    "AUTH-807-A01",
+    "AUTH-810-A04",
+    "AUTH-819-A03",
+    "AUTH-819-A04",
+    "AUTH-822-A03",
+    "AUTH-822-A06",
+    "AUTH-822-A08",
+    "AUTH-824-A09",
+    "AUTH-824-A15",
+    "AUTH-824-A16",
+    "AUTH-827-A10",
+    "AUTH-836",
+    "AUTH-836-A01",
+    "AUTH-836-A02",
+    "AUTH-836-A06",
+    "AUTH-836-A08",
+    "AUTH-836-A09",
+    "AUTH-836-A12",
+    "AUTH-836-A17",
+    "AUTH-836-A18",
+    "AUTH-837-A07",
+    "AUTH-845-A02",
+    "AUTH-845-A07",
+    "AUTH-845-A14",
+    "AUTH-845-A19",
+    "AUTH-845-A25",
+    "AUTH-845-A28",
+    "AUTH-845-A29",
+    "AUTH-845-A39",
+    "AUTH-845-A46",
+    "AUTH-845-A55",
+    "AUTH-846-A09",
+    "AUTH-846-A19",
+    "AUTH-846-A29",
+    "AUTH-846-A38",
+    "AUTH-846-A48",
+    "AUTH-849-A26",
+    "AUTH-849-A27",
+    "AUTH-849-A31",
+    "AUTH-849-A32",
+    "AUTH-849-A43",
+    "AUTH-849-A44",
+    "AUTH-849-A46",
+    "AUTH-849-A47",
+    "AUTH-849-A58",
+    "AUTH-849-A59",
+    "AUTH-902",
+    "AUTH-903-A21",
+    "AUTH-903-A22",
+    "AUTH-909",
+    "AUTH-925-A05",
+    "AUTH-925-A06",
+    "AUTH-925-A12",
+    "AUTH-949-A03",
+    "AUTH-986-A08",
+    "AUTH-986-A09",
+    "AUTH-989-A22",
+    "COMP-1079-A07",
+    "COMP-1264-A04",
+    "COMP-1904-A06",
+    "COMP-1904-A07",
+    "COMP-2129-A04",
+    "COMP-3360-A02",
+    "COMP-3421-A13",
+    "COMP-3435-A01",
+    "COMP-3981-A05",
+    "CRYP-1210-A09",
+    "CRYP-1299-A09",
+    "CRYP-1372-A05",
+    "CRYP-1433-A07",
+    "CRYP-1684-A07",
+    "CRYP-1725-A02",
+    "CRYP-1750-A09",
+    "CRYP-1751",
+    "CRYP-1751-A01",
+    "CRYP-1864-A05",
+    "CRYP-1884-A04",
+    "CRYP-1927-A13",
+    "CRYP-2142-A06",
+    "CRYP-2148-A06",
+    "CRYP-2173-A04",
+    "CRYP-2179-A09",
+    "CRYP-2334",
+    "CRYP-447-A01",
+    "CRYP-447-A17",
+    "CRYP-637-A10",
+    "CRYP-713-A07",
+    "CRYP-723-A09",
+    "CRYP-738-A06",
+    "CRYP-790",
+    "DATA-1191-A02",
+    "DATA-1810-A02",
+    "DATA-2493-A12",
+    "DATA-2510-A07",
+    "DATA-3154-A02",
+    "DATA-3376-A06",
+    "DATA-3614",
+    "DATA-3754-A02",
+    "DATA-3948",
+    "DATA-4225-A04",
+    "DATA-4317-A05",
+    "GIA-002",
+    "GOV-180-A06",
+    "GOV-180-A12",
+    "GOV-2076-A13",
+    "GOV-3110-A02",
+    "GOV-3868-A01",
+    "GOV-3868-A07",
+    "INC-246",
+    "INC-246-A01",
+    "INC-246-A02",
+    "INC-246-A04",
+    "LOG-107-A02",
+    "LOG-1506-A03",
+    "LOG-1861-A06",
+    "LOG-967-A06",
+    "NET-040-A03",
+    "NET-040-A12",
+    "NET-1166-A05",
+    "NET-1293-A02",
+    "NET-1787-A12",
+    "NET-351-A09",
+    "NET-405-A02",
+    "NET-405-A07",
+    "NET-857-A06",
+    "NET-857-A12",
+    "NET-860-A09",
+    "NET-887-A02",
+    "NET-887-A07",
+    "SEC-019-A02",
+    "SEC-019-A14",
+    "SEC-019-A29",
+    "SEC-052-A06",
+    "SEC-093-A05",
+    "SEC-093-A06",
+    "SEC-171-A47",
+    "SEC-2643-A07",
+    "SEC-2643-A15",
+    "SEC-2738-A06",
+    "SEC-2781-A01",
+    "SEC-2809",
+    "SEC-2809-A02",
+    "SEC-2809-A05",
+    "SEC-2809-A08",
+    "SEC-2809-A09",
+    "SEC-3383",
+    "SEC-3383-A01",
+    "SEC-3383-A03",
+    "SEC-3383-A09",
+    "SEC-3643-A07",
+    "SEC-3740-A03",
+    "SEC-387-A10",
+    "SEC-387-A24",
+    "SEC-3870",
+    "SEC-3965-A02",
+    "SEC-418-A15",
+    "SEC-4292-A12",
+    "SEC-4295",
+    "SEC-4513-A07",
+    "SEC-4560-A03",
+    "SEC-5435-A03",
+    "SEC-5505-A05",
+    "SEC-5767-A01",
+    "SEC-5915-A06",
+    "SEC-6778",
+    "SEC-6784-A08",
+    "SEC-6804-A01",
+    "SEC-6804-A02",
+    "SEC-6833-A07",
+    "SEC-6846-A03",
+    "SEC-7686-A01",
+    "SEC-7686-A02",
+    "SEC-7686-A05",
+    "SEC-7793-A09",
+    "SEC-7979-A02",
+    "SEC-7984-A07",
+    "SEC-8815",
+    "SEC-8847-A02",
+    "SEC-8996-A06",
+    "SEC-9087-A02"
+   ],
+   "member_count": 391,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.9,
+    "source_meta_cluster": "M94",
+    "cluster_size": 55,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "step_up_authentication",
+   "name": "Step-up/erneute Authentifizierung bei sensiblen Aktionen",
+   "description": "Bei kritischen oder sensiblen Operationen ist eine Step-up- bzw. erneute Authentifizierung auszuloesen.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "session",
+   "applicability": "conditional:sensitive_action",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B 4.3",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63-3",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M0",
+    "M4",
+    "M112"
+   ],
+   "member_controls": [
+    "ACC-001-A09",
+    "ACC-001-A24",
+    "ACC-014-A07",
+    "ACC-014-A11",
+    "ACC-014-A16",
+    "ACC-014-A20",
+    "ACC-0384",
+    "ACC-0384-A01",
+    "ACC-0384-A05",
+    "ACC-0411",
+    "ACC-0411-A01",
+    "ACC-0411-A03",
+    "ACC-0411-A05",
+    "ACC-0411-A09",
+    "ACC-064-A04",
+    "ACC-064-A09",
+    "ACC-064-A14",
+    "ACC-180-A07",
+    "ACC-320-A08",
+    "ACC-320-A15",
+    "ACC-320-A23",
+    "ACC-320-A31",
+    "ACC-320-A39",
+    "ACC-320-A47",
+    "ACC-326-A01",
+    "ACC-326-A12",
+    "ACC-326-A23",
+    "ACC-326-A34",
+    "ACC-326-A45",
+    "ACC-326-A56",
+    "ACC-427-A05",
+    "ACC-427-A14",
+    "ACC-490-A06",
+    "ACC-504-A05",
+    "ACC-521-A10",
+    "ACC-533",
+    "ACC-533-A02",
+    "ACC-640-A04",
+    "ACC-640-A07",
+    "ACC-640-A12",
+    "ACC-647-A03",
+    "ACC-655-A17",
+    "ACC-660",
+    "AI-019",
+    "AI-1236-A08",
+    "AI-1351-A10",
+    "AI-1424-A03",
+    "AI-760-A03",
+    "AI-760-A35",
+    "AUTH-047",
+    "AUTH-071-A11",
+    "AUTH-071-A12",
+    "AUTH-1018",
+    "AUTH-1096-A03",
+    "AUTH-1099-A07",
+    "AUTH-1300-A06",
+    "AUTH-1426",
+    "AUTH-1426-A01",
+    "AUTH-1426-A04",
+    "AUTH-1443-A06",
+    "AUTH-1455-A03",
+    "AUTH-1463-A05",
+    "AUTH-1466-A05",
+    "AUTH-1466-A07",
+    "AUTH-1529-A05",
+    "AUTH-1530",
+    "AUTH-1530-A03",
+    "AUTH-1633-A04",
+    "AUTH-1640-A08",
+    "AUTH-1652-A14",
+    "AUTH-1654-A04",
+    "AUTH-1667-A05",
+    "AUTH-1667-A06",
+    "AUTH-1670-A13",
+    "AUTH-1671-A11",
+    "AUTH-1672-A13",
+    "AUTH-1677-A05",
+    "AUTH-1694-A05",
+    "AUTH-1709-A06",
+    "AUTH-1806-A07",
+    "AUTH-1811-A03",
+    "AUTH-1813-A09",
+    "AUTH-1823-A03",
+    "AUTH-1823-A07",
+    "AUTH-1826-A05",
+    "AUTH-1830-A05",
+    "AUTH-1834-A07",
+    "AUTH-1859-A06",
+    "AUTH-1862-A07",
+    "AUTH-1908-A03",
+    "AUTH-1917-A07",
+    "AUTH-1932-A04",
+    "AUTH-1932-A05",
+    "AUTH-1945-A06",
+    "AUTH-2315-A05",
+    "AUTH-2397-A04",
+    "AUTH-2409-A01",
+    "AUTH-2417-A09",
+    "AUTH-2425-A14",
+    "AUTH-2426-A04",
+    "AUTH-2461-A08",
+    "AUTH-2466-A03",
+    "AUTH-2466-A05",
+    "AUTH-2466-A06",
+    "AUTH-2486-A10",
+    "AUTH-2573-A03",
+    "AUTH-2635-A06",
+    "AUTH-2641-A02",
+    "AUTH-2678-A09",
+    "AUTH-2781-A07",
+    "AUTH-2781-A08",
+    "AUTH-2817-A08",
+    "AUTH-2819-A05",
+    "AUTH-2851-A09",
+    "AUTH-2883-A08",
+    "AUTH-2886-A07",
+    "AUTH-2926",
+    "AUTH-2935-A05",
+    "AUTH-2935-A10",
+    "AUTH-2937-A09",
+    "AUTH-2939",
+    "AUTH-2943-A13",
+    "AUTH-2947",
+    "AUTH-2949",
+    "AUTH-2955",
+    "AUTH-2958",
+    "AUTH-2964-A02",
+    "AUTH-2967-A01",
+    "AUTH-2973-A04",
+    "AUTH-2974-A05",
+    "AUTH-2975-A07",
+    "AUTH-2978-A05",
+    "AUTH-2981",
+    "AUTH-2985-A09",
+    "AUTH-2995-A02",
+    "AUTH-3020-A02",
+    "AUTH-3045-A05",
+    "AUTH-3065-A01",
+    "AUTH-3068-A04",
+    "AUTH-3070-A01",
+    "AUTH-3082-A06",
+    "AUTH-3154-A07",
+    "AUTH-3165-A07",
+    "AUTH-3258-A06",
+    "AUTH-3284-A03",
+    "AUTH-3296-A07",
+    "AUTH-3300-A02",
+    "AUTH-3334",
+    "AUTH-3334-A05",
+    "AUTH-3393-A01",
+    "AUTH-3430-A04",
+    "AUTH-3542-A11",
+    "AUTH-3543-A12",
+    "AUTH-3548-A01",
+    "AUTH-3595-A07",
+    "AUTH-3597-A07",
+    "AUTH-3597-A08",
+    "AUTH-3635-A03",
+    "AUTH-3635-A04",
+    "AUTH-3641-A05",
+    "AUTH-3647-A08",
+    "AUTH-3659-A02",
+    "AUTH-3670-A09",
+    "AUTH-3825-A07",
+    "AUTH-3900-A03",
+    "AUTH-3906-A10",
+    "AUTH-3906-A11",
+    "AUTH-3908",
+    "AUTH-3921-A09",
+    "AUTH-3947-A05",
+    "AUTH-3948",
+    "AUTH-3948-A01",
+    "AUTH-3948-A03",
+    "AUTH-3955",
+    "AUTH-3955-A04",
+    "AUTH-3955-A06",
+    "AUTH-3962-A06",
+    "AUTH-3963-A04",
+    "AUTH-3964-A03",
+    "AUTH-3964-A04",
+    "AUTH-3964-A05",
+    "AUTH-3977",
+    "AUTH-3977-A01",
+    "AUTH-3977-A04",
+    "AUTH-3984-A05",
+    "AUTH-3997-A03",
+    "AUTH-3999-A03",
+    "AUTH-4004",
+    "AUTH-4031-A05",
+    "AUTH-4043-A03",
+    "AUTH-4043-A04",
+    "AUTH-4123",
+    "AUTH-4123-A03",
+    "AUTH-4133",
+    "AUTH-4134",
+    "AUTH-492-A04",
+    "AUTH-505-A03",
+    "AUTH-509",
+    "AUTH-509-A02",
+    "AUTH-637-A32",
+    "AUTH-637-A33",
+    "AUTH-700-A07",
+    "AUTH-700-A08",
+    "AUTH-710",
+    "AUTH-739",
+    "AUTH-739-A01",
+    "AUTH-739-A02",
+    "AUTH-752-A08",
+    "AUTH-757-A12",
+    "AUTH-762-A04",
+    "AUTH-762-A05",
+    "AUTH-763-A07",
+    "AUTH-782-A02",
+    "AUTH-782-A07",
+    "AUTH-782-A11",
+    "AUTH-782-A16",
+    "AUTH-794-A07",
+    "AUTH-837",
+    "AUTH-837-A08",
+    "AUTH-837-A16",
+    "AUTH-837-A17",
+    "AUTH-838-A03",
+    "AUTH-838-A05",
+    "AUTH-838-A07",
+    "AUTH-838-A13",
+    "AUTH-838-A15",
+    "AUTH-838-A22",
+    "AUTH-838-A31",
+    "AUTH-838-A33",
+    "AUTH-838-A41",
+    "AUTH-838-A49",
+    "AUTH-843",
+    "AUTH-843-A07",
+    "AUTH-843-A16",
+    "AUTH-843-A25",
+    "AUTH-843-A35",
+    "AUTH-843-A45",
+    "AUTH-843-A52",
+    "AUTH-850-A06",
+    "AUTH-850-A16",
+    "AUTH-850-A26",
+    "AUTH-850-A44",
+    "AUTH-851",
+    "AUTH-885",
+    "AUTH-885-A25",
+    "AUTH-885-A34",
+    "AUTH-888",
+    "AUTH-888-A07",
+    "AUTH-888-A14",
+    "AUTH-888-A22",
+    "AUTH-888-A29",
+    "AUTH-888-A38",
+    "AUTH-889",
+    "AUTH-889-A03",
+    "AUTH-889-A11",
+    "AUTH-889-A23",
+    "AUTH-889-A31",
+    "AUTH-889-A35",
+    "AUTH-895",
+    "AUTH-902-A07",
+    "AUTH-902-A08",
+    "AUTH-902-A13",
+    "AUTH-902-A14",
+    "AUTH-902-A18",
+    "AUTH-926",
+    "AUTH-932-A02",
+    "AUTH-932-A07",
+    "AUTH-932-A12",
+    "AUTH-932-A18",
+    "AUTH-932-A23",
+    "AUTH-933",
+    "AUTH-941-A13",
+    "AUTH-942",
+    "AUTH-949-A38",
+    "AUTH-949-A56",
+    "AUTH-989-A22",
+    "CHP-002-A07",
+    "CHP-004-A03",
+    "COMP-1904-A03",
+    "COMP-1960-A08",
+    "COMP-2144-A03",
+    "COMP-2876-A10",
+    "COMP-2880-A04",
+    "COMP-2928-A03",
+    "COMP-3602-A03",
+    "CRYP-1013-A10",
+    "CRYP-1022-A07",
+    "CRYP-1124-A03",
+    "CRYP-1124-A07",
+    "CRYP-1201-A02",
+    "CRYP-1317",
+    "CRYP-1354-A01",
+    "CRYP-1434-A09",
+    "CRYP-1466-A04",
+    "CRYP-1475-A06",
+    "CRYP-1523-A07",
+    "CRYP-1530-A07",
+    "CRYP-1712",
+    "CRYP-172-A07",
+    "CRYP-1724-A09",
+    "CRYP-1750-A06",
+    "CRYP-1756-A13",
+    "CRYP-1788",
+    "CRYP-1927-A12",
+    "CRYP-2179-A05",
+    "CRYP-447-A15",
+    "CRYP-780-A06",
+    "DATA-1881-A07",
+    "DATA-2427-A02",
+    "DATA-2481-A09",
+    "DATA-2607-A07",
+    "DATA-2660-A06",
+    "DATA-2663-A09",
+    "DATA-4121-A01",
+    "GOV-008-A13",
+    "GOV-1701-A04",
+    "GOV-2718-A03",
+    "GOV-3493-A09",
+    "GOV-511-A28",
+    "IAM-005",
+    "IAM-005-A01",
+    "IAM-005-A02",
+    "IAM-005-A03",
+    "IAM-005-A07",
+    "IAM-005-A08",
+    "IAM-005-A09",
+    "IDA-002-A07",
+    "IDA-005-A05",
+    "IDA-005-A07",
+    "IDA-006-A07",
+    "IDA-007-A07",
+    "MBT-004-A04",
+    "NET-1012-A03",
+    "NET-1012-A06",
+    "NET-1014-A09",
+    "NET-1633-A03",
+    "NET-512-A06",
+    "NET-512-A12",
+    "NET-857-A07",
+    "NET-857-A08",
+    "NET-857-A09",
+    "NET-860-A04",
+    "NET-860-A07",
+    "SEC-1153-A38",
+    "SEC-1153-A52",
+    "SEC-1153-A68",
+    "SEC-1232-A07",
+    "SEC-2853-A02",
+    "SEC-4513-A05",
+    "SEC-4513-A06",
+    "SEC-4593-A03",
+    "SEC-4593-A04",
+    "SEC-4966-A12",
+    "SEC-5792-A05",
+    "SEC-5915-A07",
+    "SEC-5915-A08",
+    "SEC-5965-A08",
+    "SEC-6153-A11",
+    "SEC-6771-A07",
+    "SEC-6784-A09",
+    "SEC-7237-A08",
+    "SEC-7450-A02",
+    "SEC-7686-A06",
+    "SEC-7962-A07",
+    "SEC-7963-A05",
+    "SEC-7963-A06",
+    "SEC-8016-A06",
+    "SEC-8103-A02",
+    "SEC-8244",
+    "SEC-8295-A06"
+   ],
+   "member_count": 370,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.85,
+    "source_meta_cluster": "M0",
+    "cluster_size": 166,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "merged_from": [
+    "risk_based_authentication"
+   ]
+  },
+  {
+   "id": "privileged_op_reauth",
+   "name": "Explizite Authentifizierung vor privilegierten Operationen",
+   "description": "Privilegierte Operationen erfordern explizite (Token/PIN-)Authentifizierung vor Ausfuehrung.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "conditional:privileged_op",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "IA-02",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-02(1)",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M4",
+    "M11",
+    "M160"
+   ],
+   "member_controls": [
+    "ACC-064-A04",
+    "ACC-064-A09",
+    "ACC-064-A14",
+    "ACC-326-A01",
+    "ACC-326-A12",
+    "ACC-326-A23",
+    "ACC-326-A34",
+    "ACC-326-A45",
+    "ACC-326-A56",
+    "ACC-504-A05",
+    "ACC-567",
+    "ACC-567-A01",
+    "ACC-640-A04",
+    "ACC-640-A07",
+    "ACC-647-A03",
+    "ACC-660",
+    "AI-019",
+    "AI-1424-A03",
+    "AI-760-A03",
+    "AI-760-A35",
+    "AUTH-001",
+    "AUTH-046",
+    "AUTH-071-A11",
+    "AUTH-071-A12",
+    "AUTH-1018",
+    "AUTH-1018-A02",
+    "AUTH-1018-A03",
+    "AUTH-1058",
+    "AUTH-1067",
+    "AUTH-1102-A02",
+    "AUTH-1102-A04",
+    "AUTH-116-A01",
+    "AUTH-116-A12",
+    "AUTH-1275",
+    "AUTH-1280",
+    "AUTH-1295-A06",
+    "AUTH-1303-A01",
+    "AUTH-1303-A02",
+    "AUTH-1310-A02",
+    "AUTH-1314",
+    "AUTH-1314-A01",
+    "AUTH-1316",
+    "AUTH-1426",
+    "AUTH-1426-A01",
+    "AUTH-1426-A03",
+    "AUTH-1426-A04",
+    "AUTH-1446-A01",
+    "AUTH-1455-A03",
+    "AUTH-1466-A05",
+    "AUTH-1525",
+    "AUTH-1529-A03",
+    "AUTH-1529-A07",
+    "AUTH-1530",
+    "AUTH-1530-A03",
+    "AUTH-1634-A03",
+    "AUTH-1638-A01",
+    "AUTH-1645-A03",
+    "AUTH-1649-A01",
+    "AUTH-1649-A03",
+    "AUTH-1649-A04",
+    "AUTH-1677-A03",
+    "AUTH-1682-A02",
+    "AUTH-1684-A04",
+    "AUTH-1688-A06",
+    "AUTH-1701",
+    "AUTH-1701-A02",
+    "AUTH-1701-A05",
+    "AUTH-1709-A06",
+    "AUTH-1711",
+    "AUTH-1711-A01",
+    "AUTH-1711-A03",
+    "AUTH-1711-A05",
+    "AUTH-1716-A01",
+    "AUTH-1720",
+    "AUTH-1720-A02",
+    "AUTH-1721-A02",
+    "AUTH-1810-A04",
+    "AUTH-1813-A08",
+    "AUTH-1823-A03",
+    "AUTH-1826-A05",
+    "AUTH-1896",
+    "AUTH-1896-A02",
+    "AUTH-1896-A03",
+    "AUTH-1896-A04",
+    "AUTH-1901-A03",
+    "AUTH-1908-A03",
+    "AUTH-1917-A07",
+    "AUTH-1945-A06",
+    "AUTH-2315",
+    "AUTH-2315-A03",
+    "AUTH-2315-A05",
+    "AUTH-2316-A01",
+    "AUTH-2316-A02",
+    "AUTH-2317-A03",
+    "AUTH-2322-A01",
+    "AUTH-2338-A01",
+    "AUTH-2338-A05",
+    "AUTH-2368-A01",
+    "AUTH-2368-A02",
+    "AUTH-2368-A05",
+    "AUTH-2397-A04",
+    "AUTH-2409-A01",
+    "AUTH-2419-A04",
+    "AUTH-2419-A05",
+    "AUTH-2426-A04",
+    "AUTH-2452-A01",
+    "AUTH-2452-A02",
+    "AUTH-2452-A03",
+    "AUTH-2452-A08",
+    "AUTH-2452-A09",
+    "AUTH-2461",
+    "AUTH-2461-A01",
+    "AUTH-2466-A03",
+    "AUTH-2466-A05",
+    "AUTH-2466-A06",
+    "AUTH-2473-A01",
+    "AUTH-2473-A02",
+    "AUTH-2475-A04",
+    "AUTH-2484-A01",
+    "AUTH-2486-A10",
+    "AUTH-2552-A03",
+    "AUTH-2689",
+    "AUTH-2689-A01",
+    "AUTH-2689-A02",
+    "AUTH-2689-A03",
+    "AUTH-2689-A05",
+    "AUTH-2819-A05",
+    "AUTH-2822-A02",
+    "AUTH-2822-A07",
+    "AUTH-2866-A02",
+    "AUTH-2873-A03",
+    "AUTH-2877",
+    "AUTH-2877-A02",
+    "AUTH-2883-A04",
+    "AUTH-2883-A08",
+    "AUTH-2886-A01",
+    "AUTH-2886-A07",
+    "AUTH-2926",
+    "AUTH-2930-A01",
+    "AUTH-2930-A08",
+    "AUTH-2935-A05",
+    "AUTH-2935-A10",
+    "AUTH-2937-A04",
+    "AUTH-2939",
+    "AUTH-2944-A12",
+    "AUTH-2946-A02",
+    "AUTH-2947",
+    "AUTH-2949",
+    "AUTH-2955",
+    "AUTH-2956-A04",
+    "AUTH-2958",
+    "AUTH-2963-A05",
+    "AUTH-2964-A02",
+    "AUTH-2965-A05",
+    "AUTH-2967-A01",
+    "AUTH-2968",
+    "AUTH-2968-A05",
+    "AUTH-2969-A01",
+    "AUTH-2973-A04",
+    "AUTH-2978-A05",
+    "AUTH-2981",
+    "AUTH-2981-A07",
+    "AUTH-2982-A01",
+    "AUTH-2987",
+    "AUTH-2987-A08",
+    "AUTH-2987-A09",
+    "AUTH-2993",
+    "AUTH-2993-A04",
+    "AUTH-2994",
+    "AUTH-2995-A02",
+    "AUTH-2996",
+    "AUTH-2996-A07",
+    "AUTH-3002-A06",
+    "AUTH-3011",
+    "AUTH-3011-A01",
+    "AUTH-3012",
+    "AUTH-3013-A04",
+    "AUTH-3013-A07",
+    "AUTH-3015",
+    "AUTH-3015-A01",
+    "AUTH-3015-A02",
+    "AUTH-3018",
+    "AUTH-3018-A04",
+    "AUTH-3021-A07",
+    "AUTH-3045-A05",
+    "AUTH-3064",
+    "AUTH-3064-A01",
+    "AUTH-3064-A03",
+    "AUTH-3065-A01",
+    "AUTH-3070-A01",
+    "AUTH-3074",
+    "AUTH-3074-A05",
+    "AUTH-3151-A03",
+    "AUTH-3155-A05",
+    "AUTH-3165-A02",
+    "AUTH-3258-A06",
+    "AUTH-3286-A02",
+    "AUTH-3305-A01",
+    "AUTH-3333-A06",
+    "AUTH-3393-A01",
+    "AUTH-3452-A01",
+    "AUTH-3452-A05",
+    "AUTH-3454-A01",
+    "AUTH-3454-A05",
+    "AUTH-3454-A06",
+    "AUTH-3454-A07",
+    "AUTH-3460",
+    "AUTH-3460-A06",
+    "AUTH-3461",
+    "AUTH-3461-A01",
+    "AUTH-3461-A07",
+    "AUTH-3469-A03",
+    "AUTH-3541-A02",
+    "AUTH-3541-A07",
+    "AUTH-3543-A01",
+    "AUTH-3545-A04",
+    "AUTH-3547",
+    "AUTH-3594",
+    "AUTH-3594-A01",
+    "AUTH-3594-A02",
+    "AUTH-3594-A07",
+    "AUTH-3595-A07",
+    "AUTH-3596-A01",
+    "AUTH-3596-A07",
+    "AUTH-3599",
+    "AUTH-3635-A03",
+    "AUTH-3635-A04",
+    "AUTH-3635-A05",
+    "AUTH-3652-A05",
+    "AUTH-3652-A06",
+    "AUTH-3659-A01",
+    "AUTH-3659-A02",
+    "AUTH-3705-A02",
+    "AUTH-3705-A06",
+    "AUTH-3751",
+    "AUTH-3825-A07",
+    "AUTH-3825-A08",
+    "AUTH-3887-A01",
+    "AUTH-3900",
+    "AUTH-3900-A01",
+    "AUTH-3900-A02",
+    "AUTH-3900-A03",
+    "AUTH-3900-A05",
+    "AUTH-3906-A03",
+    "AUTH-3906-A04",
+    "AUTH-3906-A10",
+    "AUTH-3906-A11",
+    "AUTH-3908",
+    "AUTH-3908-A05",
+    "AUTH-3915",
+    "AUTH-3915-A01",
+    "AUTH-3915-A03",
+    "AUTH-3921-A09",
+    "AUTH-3929-A01",
+    "AUTH-3946-A01",
+    "AUTH-3947-A05",
+    "AUTH-3948",
+    "AUTH-3948-A01",
+    "AUTH-3948-A03",
+    "AUTH-3955",
+    "AUTH-3955-A02",
+    "AUTH-3955-A03",
+    "AUTH-3955-A04",
+    "AUTH-3955-A06",
+    "AUTH-3962-A06",
+    "AUTH-3963-A01",
+    "AUTH-3963-A02",
+    "AUTH-3963-A04",
+    "AUTH-3968-A09",
+    "AUTH-3969-A02",
+    "AUTH-3977",
+    "AUTH-3977-A01",
+    "AUTH-3977-A02",
+    "AUTH-3977-A04",
+    "AUTH-3982-A01",
+    "AUTH-3984-A05",
+    "AUTH-3984-A06",
+    "AUTH-3988-A04",
+    "AUTH-3997-A03",
+    "AUTH-3999-A03",
+    "AUTH-3999-A04",
+    "AUTH-4031-A05",
+    "AUTH-4035-A01",
+    "AUTH-4069-A02",
+    "AUTH-4072-A13",
+    "AUTH-4076",
+    "AUTH-4079-A04",
+    "AUTH-4083-A05",
+    "AUTH-4123-A03",
+    "AUTH-4127",
+    "AUTH-4130-A02",
+    "AUTH-492-A04",
+    "AUTH-500-A03",
+    "AUTH-505-A03",
+    "AUTH-520-A04",
+    "AUTH-538",
+    "AUTH-538-A04",
+    "AUTH-551",
+    "AUTH-551-A02",
+    "AUTH-559-A17",
+    "AUTH-606",
+    "AUTH-616-A04",
+    "AUTH-616-A14",
+    "AUTH-616-A17",
+    "AUTH-637-A32",
+    "AUTH-637-A33",
+    "AUTH-648",
+    "AUTH-648-A02",
+    "AUTH-680-A04",
+    "AUTH-700",
+    "AUTH-710",
+    "AUTH-738",
+    "AUTH-754-A05",
+    "AUTH-754-A07",
+    "AUTH-754-A12",
+    "AUTH-762-A04",
+    "AUTH-762-A05",
+    "AUTH-763-A06",
+    "AUTH-766-A06",
+    "AUTH-769-A07",
+    "AUTH-774-A03",
+    "AUTH-785-A02",
+    "AUTH-803",
+    "AUTH-803-A02",
+    "AUTH-803-A06",
+    "AUTH-803-A08",
+    "AUTH-807",
+    "AUTH-807-A01",
+    "AUTH-807-A04",
+    "AUTH-813",
+    "AUTH-815",
+    "AUTH-824-A09",
+    "AUTH-824-A16",
+    "AUTH-825",
+    "AUTH-827",
+    "AUTH-831-A03",
+    "AUTH-831-A05",
+    "AUTH-837",
+    "AUTH-837-A08",
+    "AUTH-837-A16",
+    "AUTH-837-A17",
+    "AUTH-838-A03",
+    "AUTH-838-A05",
+    "AUTH-838-A07",
+    "AUTH-838-A15",
+    "AUTH-838-A33",
+    "AUTH-843",
+    "AUTH-843-A07",
+    "AUTH-843-A16",
+    "AUTH-843-A25",
+    "AUTH-843-A35",
+    "AUTH-843-A45",
+    "AUTH-843-A52",
+    "AUTH-845-A02",
+    "AUTH-845-A04",
+    "AUTH-845-A05",
+    "AUTH-845-A14",
+    "AUTH-845-A17",
+    "AUTH-845-A25",
+    "AUTH-845-A28",
+    "AUTH-845-A36",
+    "AUTH-845-A37",
+    "AUTH-845-A46",
+    "AUTH-845-A48",
+    "AUTH-845-A49",
+    "AUTH-845-A52",
+    "AUTH-845-A53",
+    "AUTH-850-A06",
+    "AUTH-850-A16",
+    "AUTH-850-A26",
+    "AUTH-850-A44",
+    "AUTH-851",
+    "AUTH-851-A16",
+    "AUTH-855-A01",
+    "AUTH-855-A02",
+    "AUTH-855-A16",
+    "AUTH-855-A17",
+    "AUTH-855-A31",
+    "AUTH-855-A32",
+    "AUTH-855-A46",
+    "AUTH-855-A47",
+    "AUTH-855-A48",
+    "AUTH-855-A61",
+    "AUTH-855-A62",
+    "AUTH-867-A20",
+    "AUTH-889-A03",
+    "AUTH-889-A11",
+    "AUTH-889-A23",
+    "AUTH-889-A31",
+    "AUTH-889-A35",
+    "AUTH-893-A10",
+    "AUTH-893-A22",
+    "AUTH-895",
+    "AUTH-902",
+    "AUTH-902-A07",
+    "AUTH-902-A08",
+    "AUTH-902-A13",
+    "AUTH-902-A14",
+    "AUTH-902-A18",
+    "AUTH-903-A21",
+    "AUTH-903-A22",
+    "AUTH-939",
+    "AUTH-939-A01",
+    "AUTH-939-A02",
+    "AUTH-939-A09",
+    "AUTH-939-A19",
+    "AUTH-939-A26",
+    "AUTH-939-A31",
+    "AUTH-939-A42",
+    "AUTH-951",
+    "AVL-003-A06",
+    "BND-002-A02",
+    "BND-002-A04",
+    "BND-002-A06",
+    "BND-002-A08",
+    "COMP-1904",
+    "COMP-1904-A03",
+    "COMP-2144-A03",
+    "COMP-2780-A04",
+    "COMP-2880-A04",
+    "COMP-2928-A03",
+    "COMP-3313-A03",
+    "COMP-3435-A01",
+    "COMP-3602-A03",
+    "CRYP-1079-A08",
+    "CRYP-1124-A03",
+    "CRYP-1201-A02",
+    "CRYP-1269",
+    "CRYP-1269-A01",
+    "CRYP-1269-A02",
+    "CRYP-1288-A04",
+    "CRYP-1354-A01",
+    "CRYP-1359-A05",
+    "CRYP-1394-A03",
+    "CRYP-1652-A09",
+    "CRYP-1700-A02",
+    "CRYP-1751",
+    "CRYP-1751-A01",
+    "CRYP-1751-A02",
+    "CRYP-1756-A13",
+    "CRYP-1788",
+    "CRYP-1819-A01",
+    "CRYP-1927-A06",
+    "CRYP-2179-A05",
+    "CRYP-2287",
+    "CRYP-2301-A06",
+    "CRYP-2315-A06",
+    "CRYP-2355-A01",
+    "CRYP-626-A05",
+    "CRYP-876-A06",
+    "DATA-1007-A02",
+    "DATA-1007-A09",
+    "DATA-1007-A11",
+    "DATA-1801",
+    "DATA-2427-A02",
+    "DATA-259",
+    "DATA-2662-A05",
+    "DATA-3154-A06",
+    "DATA-3613-A04",
+    "DATA-3614-A02",
+    "DATA-4121-A01",
+    "GIA-002",
+    "GIA-002-A10",
+    "GOV-008-A13",
+    "GOV-1701-A04",
+    "GOV-3868-A11",
+    "GOV-511-A28",
+    "IAM-005",
+    "IAM-005-A02",
+    "IAM-005-A08",
+    "LOG-1506-A03",
+    "LOG-967",
+    "LOG-967-A01",
+    "LOG-967-A03",
+    "LOG-967-A05",
+    "LOG-967-A06",
+    "NET-040-A03",
+    "NET-040-A12",
+    "NET-1014-A09",
+    "NET-1166-A05",
+    "NET-1243-A05",
+    "NET-1345-A02",
+    "NET-1633-A02",
+    "NET-1787-A12",
+    "NET-465-A02",
+    "NET-465-A07",
+    "NET-928-A02",
+    "PRC-012-A01",
+    "SEC-1223-A05",
+    "SEC-1232-A07",
+    "SEC-171-A47",
+    "SEC-2445-A01",
+    "SEC-2643-A07",
+    "SEC-2781-A01",
+    "SEC-2853-A02",
+    "SEC-3157-A03",
+    "SEC-3157-A07",
+    "SEC-387-A10",
+    "SEC-387-A24",
+    "SEC-3870",
+    "SEC-4010-A09",
+    "SEC-4021-A03",
+    "SEC-418-A15",
+    "SEC-4254-A03",
+    "SEC-4561",
+    "SEC-4561-A02",
+    "SEC-4566-A04",
+    "SEC-4593-A03",
+    "SEC-4593-A04",
+    "SEC-5610",
+    "SEC-5640-A04",
+    "SEC-5792-A01",
+    "SEC-5915-A05",
+    "SEC-5915-A06",
+    "SEC-5915-A07",
+    "SEC-5915-A08",
+    "SEC-6775",
+    "SEC-7686-A05",
+    "SEC-7793-A05",
+    "SEC-7962-A07",
+    "SEC-7984",
+    "SEC-7984-A01",
+    "SEC-7984-A04",
+    "SEC-7984-A08",
+    "SEC-8103-A02",
+    "SEC-8244",
+    "SEC-8825-A04",
+    "SEC-8825-A05",
+    "SEC-8847-A02",
+    "SEC-9065-A01"
+   ],
+   "member_count": 530,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M4",
+    "cluster_size": 159,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "merged_from": [
+    "mfa_privileged_access"
+   ]
+  },
+  {
+   "id": "strong_crypto_authentication",
+   "name": "Kryptographische Verfahren fuer Authentifizierung",
+   "description": "Authentifizierungsmechanismen muessen auf robusten, anerkannten kryptographischen Verfahren beruhen und gegen Angriffe robust sein.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(e)",
+     "citation": "protect the confidentiality... through state-of-the-art mechanisms incl. encryption"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "BSI",
+     "anchor": "TR-02102",
+     "role": "best_practice"
+    },
+    {
+     "source": "Ephemere Schluessel bei Authentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "ephemeral_key_auth"
+    },
+    {
+     "source": "Nachrichtenauthentifizierung (MAC)",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "message_authentication_codes"
+    },
+    {
+     "source": "Replay-Schutz mit Nonces",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "replay_protection_nonce"
+    },
+    {
+     "source": "Challenge-Response-Authentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "challenge_response_auth"
+    },
+    {
+     "source": "Datenursprungs-/Domaenenauthentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "data_origin_authentication"
+    },
+    {
+     "source": "Zugelassene Hash-Funktionen fuer Authentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "approved_hash_functions"
+    }
+   ],
+   "member_review_units": [
+    "M1",
+    "M16",
+    "M59",
+    "M82",
+    "M85",
+    "M96",
+    "M106",
+    "M140",
+    "M143"
+   ],
+   "member_controls": [
+    "ACC-001-A14",
+    "ACC-001-A17",
+    "ACC-001-A29",
+    "ACC-0357",
+    "ACC-0357-A01",
+    "ACC-0357-A02",
+    "ACC-0357-A03",
+    "ACC-0357-A06",
+    "ACC-0410-A03",
+    "ACC-082-A08",
+    "ACC-082-A09",
+    "ACC-082-A17",
+    "ACC-082-A18",
+    "ACC-320-A16",
+    "ACC-320-A18",
+    "ACC-320-A24",
+    "ACC-320-A34",
+    "ACC-320-A40",
+    "ACC-320-A48",
+    "ACC-478-A08",
+    "ACC-499-A07",
+    "ACC-508-A06",
+    "ACC-559-A04",
+    "ACC-578-A07",
+    "ACC-607",
+    "AI-052-A28",
+    "AI-052-A29",
+    "AI-1027",
+    "AI-1027-A06",
+    "AI-797-A09",
+    "AI-797-A18",
+    "AI-797-A36",
+    "AI-797-A45",
+    "AI-924-A13",
+    "AI-924-A14",
+    "AUT-001",
+    "AUT-002",
+    "AUTH-008-A25",
+    "AUTH-1005-A01",
+    "AUTH-1049-A56",
+    "AUTH-1050-A13",
+    "AUTH-1052-A13",
+    "AUTH-1052-A22",
+    "AUTH-1052-A36",
+    "AUTH-1061-A75",
+    "AUTH-1084",
+    "AUTH-1095-A02",
+    "AUTH-1096",
+    "AUTH-1096-A01",
+    "AUTH-1102-A14",
+    "AUTH-112-A04",
+    "AUTH-112-A17",
+    "AUTH-1288",
+    "AUTH-1300-A05",
+    "AUTH-1313-A04",
+    "AUTH-1314-A03",
+    "AUTH-1445-A02",
+    "AUTH-1463-A04",
+    "AUTH-1463-A09",
+    "AUTH-1466-A09",
+    "AUTH-1468-A01",
+    "AUTH-1468-A06",
+    "AUTH-1524-A04",
+    "AUTH-1529-A04",
+    "AUTH-1648",
+    "AUTH-1648-A05",
+    "AUTH-1649-A02",
+    "AUTH-1650-A05",
+    "AUTH-1650-A06",
+    "AUTH-1658",
+    "AUTH-1658-A01",
+    "AUTH-1658-A03",
+    "AUTH-1658-A04",
+    "AUTH-1658-A06",
+    "AUTH-1658-A07",
+    "AUTH-1658-A10",
+    "AUTH-1660",
+    "AUTH-1660-A03",
+    "AUTH-1664",
+    "AUTH-1667-A07",
+    "AUTH-1669-A05",
+    "AUTH-1669-A06",
+    "AUTH-1671-A08",
+    "AUTH-1678",
+    "AUTH-1678-A06",
+    "AUTH-1679",
+    "AUTH-1679-A02",
+    "AUTH-1680",
+    "AUTH-1680-A03",
+    "AUTH-1680-A06",
+    "AUTH-1681",
+    "AUTH-1681-A01",
+    "AUTH-1688",
+    "AUTH-1692-A05",
+    "AUTH-1693-A07",
+    "AUTH-1702-A06",
+    "AUTH-1711-A06",
+    "AUTH-1742-A01",
+    "AUTH-1742-A07",
+    "AUTH-1750-A03",
+    "AUTH-1759-A05",
+    "AUTH-1776-A08",
+    "AUTH-1779",
+    "AUTH-1779-A01",
+    "AUTH-1790",
+    "AUTH-1808-A03",
+    "AUTH-1815",
+    "AUTH-1815-A01",
+    "AUTH-1817-A01",
+    "AUTH-1817-A03",
+    "AUTH-1818-A11",
+    "AUTH-1831-A03",
+    "AUTH-1835",
+    "AUTH-1835-A01",
+    "AUTH-1839",
+    "AUTH-1839-A01",
+    "AUTH-1839-A02",
+    "AUTH-1839-A04",
+    "AUTH-1843-A02",
+    "AUTH-1844",
+    "AUTH-1845-A04",
+    "AUTH-1846",
+    "AUTH-1849",
+    "AUTH-1858-A01",
+    "AUTH-1860",
+    "AUTH-1860-A02",
+    "AUTH-1860-A05",
+    "AUTH-1860-A08",
+    "AUTH-1860-A09",
+    "AUTH-1862-A09",
+    "AUTH-1864",
+    "AUTH-1864-A01",
+    "AUTH-1864-A02",
+    "AUTH-1864-A04",
+    "AUTH-1864-A05",
+    "AUTH-1864-A06",
+    "AUTH-1864-A07",
+    "AUTH-1864-A08",
+    "AUTH-1865-A12",
+    "AUTH-187-A11",
+    "AUTH-1908",
+    "AUTH-1910",
+    "AUTH-1910-A01",
+    "AUTH-1910-A03",
+    "AUTH-1910-A04",
+    "AUTH-1910-A05",
+    "AUTH-1910-A07",
+    "AUTH-1910-A08",
+    "AUTH-1910-A10",
+    "AUTH-1911-A02",
+    "AUTH-1912-A02",
+    "AUTH-1912-A06",
+    "AUTH-1912-A07",
+    "AUTH-1919-A07",
+    "AUTH-1930-A01",
+    "AUTH-1932-A03",
+    "AUTH-1933",
+    "AUTH-1935",
+    "AUTH-1940-A01",
+    "AUTH-1940-A04",
+    "AUTH-1944",
+    "AUTH-1944-A01",
+    "AUTH-1947",
+    "AUTH-1949",
+    "AUTH-1949-A01",
+    "AUTH-1949-A07",
+    "AUTH-1949-A08",
+    "AUTH-1949-A09",
+    "AUTH-2121-A04",
+    "AUTH-2315-A04",
+    "AUTH-2338-A09",
+    "AUTH-2368-A07",
+    "AUTH-2382",
+    "AUTH-2399-A07",
+    "AUTH-2405-A06",
+    "AUTH-2444-A02",
+    "AUTH-2553",
+    "AUTH-2553-A02",
+    "AUTH-2689-A06",
+    "AUTH-2793",
+    "AUTH-2793-A02",
+    "AUTH-2793-A04",
+    "AUTH-2805-A06",
+    "AUTH-2805-A11",
+    "AUTH-2822",
+    "AUTH-2850",
+    "AUTH-2851-A10",
+    "AUTH-2852-A02",
+    "AUTH-2873-A02",
+    "AUTH-2879",
+    "AUTH-2883-A06",
+    "AUTH-2913-A04",
+    "AUTH-2930-A12",
+    "AUTH-2979-A07",
+    "AUTH-3004",
+    "AUTH-3021-A03",
+    "AUTH-3024",
+    "AUTH-3024-A03",
+    "AUTH-3045-A04",
+    "AUTH-3068-A06",
+    "AUTH-3074-A04",
+    "AUTH-3075-A04",
+    "AUTH-3082-A10",
+    "AUTH-3150-A02",
+    "AUTH-3150-A08",
+    "AUTH-3154-A05",
+    "AUTH-3155-A09",
+    "AUTH-3266-A07",
+    "AUTH-3279-A01",
+    "AUTH-3305-A05",
+    "AUTH-3305-A08",
+    "AUTH-3455-A08",
+    "AUTH-3460-A04",
+    "AUTH-3461-A03",
+    "AUTH-3461-A05",
+    "AUTH-3486-A10",
+    "AUTH-3541-A03",
+    "AUTH-3541-A06",
+    "AUTH-3541-A08",
+    "AUTH-3542-A06",
+    "AUTH-3545-A07",
+    "AUTH-3550",
+    "AUTH-3550-A01",
+    "AUTH-3554-A02",
+    "AUTH-3595",
+    "AUTH-3595-A06",
+    "AUTH-3595-A08",
+    "AUTH-3596",
+    "AUTH-3596-A04",
+    "AUTH-3597-A06",
+    "AUTH-3597-A10",
+    "AUTH-3599-A04",
+    "AUTH-3624-A06",
+    "AUTH-3638",
+    "AUTH-3642-A04",
+    "AUTH-3644",
+    "AUTH-3751-A08",
+    "AUTH-3948-A04",
+    "AUTH-3958-A02",
+    "AUTH-3963-A03",
+    "AUTH-3964-A07",
+    "AUTH-3993",
+    "AUTH-3993-A02",
+    "AUTH-4027-A02",
+    "AUTH-4030-A03",
+    "AUTH-4031-A08",
+    "AUTH-4032-A02",
+    "AUTH-4032-A14",
+    "AUTH-4036-A04",
+    "AUTH-4040",
+    "AUTH-4085",
+    "AUTH-4085-A01",
+    "AUTH-4095-A17",
+    "AUTH-452-A04",
+    "AUTH-474-A07",
+    "AUTH-494-A02",
+    "AUTH-505",
+    "AUTH-505-A02",
+    "AUTH-505-A06",
+    "AUTH-515",
+    "AUTH-515-A02",
+    "AUTH-515-A03",
+    "AUTH-515-A04",
+    "AUTH-515-A07",
+    "AUTH-524-A02",
+    "AUTH-524-A06",
+    "AUTH-524-A09",
+    "AUTH-550",
+    "AUTH-550-A01",
+    "AUTH-550-A06",
+    "AUTH-558-A01",
+    "AUTH-559-A04",
+    "AUTH-559-A13",
+    "AUTH-584-A06",
+    "AUTH-586",
+    "AUTH-586-A01",
+    "AUTH-615-A06",
+    "AUTH-623-A07",
+    "AUTH-623-A08",
+    "AUTH-666",
+    "AUTH-666-A01",
+    "AUTH-700-A01",
+    "AUTH-710-A06",
+    "AUTH-732-A01",
+    "AUTH-743-A04",
+    "AUTH-743-A10",
+    "AUTH-751",
+    "AUTH-751-A05",
+    "AUTH-751-A06",
+    "AUTH-751-A07",
+    "AUTH-751-A08",
+    "AUTH-762-A11",
+    "AUTH-774-A01",
+    "AUTH-783",
+    "AUTH-784-A08",
+    "AUTH-784-A09",
+    "AUTH-789-A03",
+    "AUTH-804-A05",
+    "AUTH-818-A19",
+    "AUTH-820",
+    "AUTH-820-A01",
+    "AUTH-822-A06",
+    "AUTH-822-A08",
+    "AUTH-824-A15",
+    "AUTH-836",
+    "AUTH-836-A01",
+    "AUTH-836-A02",
+    "AUTH-836-A06",
+    "AUTH-836-A08",
+    "AUTH-836-A09",
+    "AUTH-836-A12",
+    "AUTH-836-A17",
+    "AUTH-836-A18",
+    "AUTH-837-A07",
+    "AUTH-845-A07",
+    "AUTH-845-A19",
+    "AUTH-845-A29",
+    "AUTH-845-A39",
+    "AUTH-845-A55",
+    "AUTH-846-A04",
+    "AUTH-846-A09",
+    "AUTH-846-A13",
+    "AUTH-846-A19",
+    "AUTH-846-A23",
+    "AUTH-846-A29",
+    "AUTH-846-A33",
+    "AUTH-846-A38",
+    "AUTH-846-A42",
+    "AUTH-846-A48",
+    "AUTH-849-A26",
+    "AUTH-849-A27",
+    "AUTH-849-A31",
+    "AUTH-849-A32",
+    "AUTH-849-A43",
+    "AUTH-849-A44",
+    "AUTH-849-A46",
+    "AUTH-849-A47",
+    "AUTH-849-A58",
+    "AUTH-849-A59",
+    "AUTH-898",
+    "AUTH-898-A09",
+    "AUTH-898-A17",
+    "AUTH-925-A05",
+    "AUTH-925-A06",
+    "AUTH-925-A12",
+    "AUTH-944",
+    "AUTH-944-A05",
+    "AUTH-986-A08",
+    "AUTH-986-A09",
+    "COMP-1055",
+    "COMP-1264-A04",
+    "COMP-1266",
+    "COMP-1883-A07",
+    "COMP-1904-A06",
+    "COMP-1904-A07",
+    "COMP-2028-A07",
+    "COMP-2060-A01",
+    "COMP-2129-A04",
+    "CRYP-1116-A02",
+    "CRYP-1134-A06",
+    "CRYP-1150-A06",
+    "CRYP-1162-A04",
+    "CRYP-1201-A01",
+    "CRYP-1203-A01",
+    "CRYP-1210-A09",
+    "CRYP-1217-A02",
+    "CRYP-1267",
+    "CRYP-1267-A02",
+    "CRYP-1286",
+    "CRYP-1286-A02",
+    "CRYP-1288-A10",
+    "CRYP-1293-A08",
+    "CRYP-1299-A09",
+    "CRYP-1316-A05",
+    "CRYP-1336",
+    "CRYP-1336-A02",
+    "CRYP-1336-A06",
+    "CRYP-1372-A05",
+    "CRYP-1378",
+    "CRYP-1382",
+    "CRYP-1385",
+    "CRYP-1385-A03",
+    "CRYP-1385-A05",
+    "CRYP-1385-A07",
+    "CRYP-1389",
+    "CRYP-1404",
+    "CRYP-1421",
+    "CRYP-1421-A01",
+    "CRYP-1421-A07",
+    "CRYP-1421-A10",
+    "CRYP-1424-A03",
+    "CRYP-1433-A07",
+    "CRYP-1434-A03",
+    "CRYP-1449-A04",
+    "CRYP-1449-A11",
+    "CRYP-1463",
+    "CRYP-1463-A03",
+    "CRYP-1467-A03",
+    "CRYP-1467-A08",
+    "CRYP-1469-A02",
+    "CRYP-1469-A07",
+    "CRYP-1469-A08",
+    "CRYP-1475",
+    "CRYP-1520-A05",
+    "CRYP-1520-A10",
+    "CRYP-1522-A02",
+    "CRYP-1523",
+    "CRYP-1523-A02",
+    "CRYP-1523-A04",
+    "CRYP-1523-A08",
+    "CRYP-1524-A04",
+    "CRYP-1525-A08",
+    "CRYP-1531-A02",
+    "CRYP-1531-A05",
+    "CRYP-1535",
+    "CRYP-1535-A04",
+    "CRYP-1535-A05",
+    "CRYP-1535-A11",
+    "CRYP-1537",
+    "CRYP-1539-A03",
+    "CRYP-1539-A08",
+    "CRYP-1725-A02",
+    "CRYP-1750-A09",
+    "CRYP-1750-A13",
+    "CRYP-1793",
+    "CRYP-1864-A05",
+    "CRYP-193-A03",
+    "CRYP-1993-A03",
+    "CRYP-2142-A06",
+    "CRYP-2148-A01",
+    "CRYP-2148-A06",
+    "CRYP-2179-A09",
+    "CRYP-2334",
+    "CRYP-637-A10",
+    "CRYP-713-A07",
+    "CRYP-738-A06",
+    "CRYP-790",
+    "CRYP-796-A08",
+    "CRYP-809",
+    "CRYP-809-A01",
+    "CRYP-848",
+    "DATA-1274-A03",
+    "DATA-1499-A06",
+    "DATA-2427-A06",
+    "DATA-2493-A12",
+    "DATA-2510-A07",
+    "DATA-3376-A06",
+    "DATA-4225-A04",
+    "DATA-4317-A05",
+    "DATA-879-A07",
+    "DATA-879-A10",
+    "DATA-879-A14",
+    "GOV-1439-A09",
+    "GOV-1732-A01",
+    "GOV-1733-A04",
+    "GOV-180-A06",
+    "GOV-180-A12",
+    "GOV-2076-A13",
+    "GOV-3110-A02",
+    "IDF-004",
+    "IDF-004-A01",
+    "IDF-006",
+    "INC-978-A09",
+    "INC-978-A10",
+    "INC-978-A11",
+    "LOG-107-A02",
+    "LOG-1861-A06",
+    "MSG-003",
+    "NET-1015-A02",
+    "NET-1233-A07",
+    "NET-1293-A02",
+    "NET-1467-A13",
+    "NET-1482-A11",
+    "NET-651-A03",
+    "NET-651-A13",
+    "NET-651-A23",
+    "NET-651-A33",
+    "NET-651-A43",
+    "NET-651-A54",
+    "NET-758-A01",
+    "NET-758-A07",
+    "NET-758-A14",
+    "NET-758-A20",
+    "NET-758-A28",
+    "NET-857-A06",
+    "NET-857-A12",
+    "NET-860-A09",
+    "NET-879-A03",
+    "NET-991-A07",
+    "NET-991-A08",
+    "SEC-052-A06",
+    "SEC-093-A05",
+    "SEC-093-A06",
+    "SEC-2176-A03",
+    "SEC-2643-A15",
+    "SEC-2738-A06",
+    "SEC-2809",
+    "SEC-2809-A02",
+    "SEC-2809-A03",
+    "SEC-2809-A05",
+    "SEC-2809-A09",
+    "SEC-2839-A02",
+    "SEC-2845-A09",
+    "SEC-3383-A03",
+    "SEC-3605",
+    "SEC-3728-A11",
+    "SEC-3740-A03",
+    "SEC-3965-A02",
+    "SEC-4015-A08",
+    "SEC-4089-A08",
+    "SEC-4090",
+    "SEC-4090-A04",
+    "SEC-4090-A05",
+    "SEC-4090-A08",
+    "SEC-4217",
+    "SEC-4292-A11",
+    "SEC-4292-A12",
+    "SEC-4295",
+    "SEC-4295-A01",
+    "SEC-4508",
+    "SEC-4509-A07",
+    "SEC-4513-A07",
+    "SEC-4560-A03",
+    "SEC-5435-A03",
+    "SEC-5505-A05",
+    "SEC-5767-A01",
+    "SEC-6784-A08",
+    "SEC-6804-A01",
+    "SEC-6804-A02",
+    "SEC-6833-A07",
+    "SEC-7984-A07",
+    "SEC-8241-A01",
+    "SEC-8257-A10"
+   ],
+   "member_count": 533,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.85,
+    "source_meta_cluster": "M1",
+    "cluster_size": 234,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "credential_lifecycle_management",
+   "name": "Verwaltung von Authentifizierungsmitteln (Lifecycle)",
+   "description": "Authentifizierungsmittel sind ueber ihren gesamten Lebenszyklus (Ausstellung, Erneuerung, Sperrung, Loeschung) zu verwalten und aktuell zu halten.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "ISO",
+     "anchor": "ISO 27001 A.5.17",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "MP-06",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M1",
+    "M30",
+    "M44",
+    "M63",
+    "M93"
+   ],
+   "member_controls": [
+    "ACC-001-A14",
+    "ACC-001-A17",
+    "ACC-001-A29",
+    "ACC-0410-A03",
+    "ACC-082-A08",
+    "ACC-082-A09",
+    "ACC-082-A17",
+    "ACC-082-A18",
+    "ACC-320-A16",
+    "ACC-320-A18",
+    "ACC-320-A24",
+    "ACC-320-A34",
+    "ACC-320-A40",
+    "ACC-320-A48",
+    "ACC-478-A08",
+    "ACC-499-A07",
+    "ACC-508-A06",
+    "ACC-559-A04",
+    "ACC-578-A07",
+    "ACC-607",
+    "AI-052-A28",
+    "AI-052-A29",
+    "AI-797-A09",
+    "AI-797-A18",
+    "AI-797-A36",
+    "AI-797-A45",
+    "AI-924-A13",
+    "AI-924-A14",
+    "AUTH-008-A25",
+    "AUTH-1049-A35",
+    "AUTH-1049-A50",
+    "AUTH-1049-A56",
+    "AUTH-1050-A13",
+    "AUTH-1061-A75",
+    "AUTH-1084",
+    "AUTH-1095-A02",
+    "AUTH-1096",
+    "AUTH-1096-A01",
+    "AUTH-1102-A14",
+    "AUTH-112-A04",
+    "AUTH-112-A17",
+    "AUTH-1288",
+    "AUTH-1300-A05",
+    "AUTH-1313-A04",
+    "AUTH-1314-A03",
+    "AUTH-1445-A02",
+    "AUTH-1463-A04",
+    "AUTH-1463-A09",
+    "AUTH-1466-A09",
+    "AUTH-1468-A01",
+    "AUTH-1468-A06",
+    "AUTH-1480",
+    "AUTH-1480-A01",
+    "AUTH-1524-A04",
+    "AUTH-1529-A04",
+    "AUTH-1637",
+    "AUTH-1637-A01",
+    "AUTH-1661-A01",
+    "AUTH-1669-A05",
+    "AUTH-1669-A06",
+    "AUTH-1670",
+    "AUTH-1677-A02",
+    "AUTH-1677-A08",
+    "AUTH-1678-A03",
+    "AUTH-1679",
+    "AUTH-1679-A02",
+    "AUTH-1700-A03",
+    "AUTH-1706",
+    "AUTH-1706-A01",
+    "AUTH-1706-A02",
+    "AUTH-1706-A07",
+    "AUTH-1706-A08",
+    "AUTH-1711-A06",
+    "AUTH-1725",
+    "AUTH-1742-A01",
+    "AUTH-1742-A07",
+    "AUTH-1746",
+    "AUTH-1746-A01",
+    "AUTH-1759-A05",
+    "AUTH-1790",
+    "AUTH-1813-A07",
+    "AUTH-1818-A11",
+    "AUTH-1860-A05",
+    "AUTH-1860-A08",
+    "AUTH-1860-A09",
+    "AUTH-1862-A09",
+    "AUTH-1865-A12",
+    "AUTH-187-A11",
+    "AUTH-1910-A05",
+    "AUTH-1912-A07",
+    "AUTH-1940-A04",
+    "AUTH-2121-A04",
+    "AUTH-2315-A04",
+    "AUTH-2338-A09",
+    "AUTH-2338-A10",
+    "AUTH-2371-A05",
+    "AUTH-2399-A07",
+    "AUTH-2405-A06",
+    "AUTH-2416-A07",
+    "AUTH-2438",
+    "AUTH-2464",
+    "AUTH-2793",
+    "AUTH-2793-A02",
+    "AUTH-2805-A06",
+    "AUTH-2805-A11",
+    "AUTH-2817-A01",
+    "AUTH-2817-A02",
+    "AUTH-2850",
+    "AUTH-2851-A10",
+    "AUTH-2879",
+    "AUTH-2979-A07",
+    "AUTH-3004",
+    "AUTH-3045-A04",
+    "AUTH-3068",
+    "AUTH-3068-A01",
+    "AUTH-3068-A03",
+    "AUTH-3068-A05",
+    "AUTH-3068-A06",
+    "AUTH-3073-A01",
+    "AUTH-3082-A10",
+    "AUTH-3161",
+    "AUTH-3258-A08",
+    "AUTH-3266-A07",
+    "AUTH-3460-A04",
+    "AUTH-3461-A03",
+    "AUTH-3461-A05",
+    "AUTH-3486-A10",
+    "AUTH-3541-A06",
+    "AUTH-3542-A06",
+    "AUTH-3554-A01",
+    "AUTH-3554-A02",
+    "AUTH-3554-A05",
+    "AUTH-3595",
+    "AUTH-3595-A06",
+    "AUTH-3595-A08",
+    "AUTH-3596",
+    "AUTH-3596-A04",
+    "AUTH-3597-A06",
+    "AUTH-3599-A04",
+    "AUTH-3638",
+    "AUTH-3712",
+    "AUTH-3751-A08",
+    "AUTH-3948-A04",
+    "AUTH-3958-A02",
+    "AUTH-3964-A07",
+    "AUTH-3993",
+    "AUTH-3993-A02",
+    "AUTH-4006-A14",
+    "AUTH-4027-A02",
+    "AUTH-4030-A03",
+    "AUTH-4031-A08",
+    "AUTH-4032-A02",
+    "AUTH-4036-A04",
+    "AUTH-4085",
+    "AUTH-4085-A01",
+    "AUTH-4095-A17",
+    "AUTH-4130-A03",
+    "AUTH-4135-A01",
+    "AUTH-494-A02",
+    "AUTH-505-A06",
+    "AUTH-559-A04",
+    "AUTH-559-A13",
+    "AUTH-584-A06",
+    "AUTH-615-A06",
+    "AUTH-623-A07",
+    "AUTH-623-A08",
+    "AUTH-710-A06",
+    "AUTH-732-A01",
+    "AUTH-743-A04",
+    "AUTH-743-A10",
+    "AUTH-751-A05",
+    "AUTH-751-A06",
+    "AUTH-751-A07",
+    "AUTH-751-A08",
+    "AUTH-762-A11",
+    "AUTH-774-A01",
+    "AUTH-784-A08",
+    "AUTH-784-A09",
+    "AUTH-804-A05",
+    "AUTH-822-A06",
+    "AUTH-822-A08",
+    "AUTH-824-A15",
+    "AUTH-827-A04",
+    "AUTH-827-A13",
+    "AUTH-836",
+    "AUTH-836-A01",
+    "AUTH-836-A02",
+    "AUTH-836-A06",
+    "AUTH-836-A08",
+    "AUTH-836-A09",
+    "AUTH-836-A12",
+    "AUTH-836-A17",
+    "AUTH-836-A18",
+    "AUTH-837-A07",
+    "AUTH-845-A07",
+    "AUTH-845-A19",
+    "AUTH-845-A29",
+    "AUTH-845-A39",
+    "AUTH-845-A55",
+    "AUTH-846-A09",
+    "AUTH-846-A19",
+    "AUTH-846-A29",
+    "AUTH-846-A38",
+    "AUTH-846-A48",
+    "AUTH-849-A26",
+    "AUTH-849-A27",
+    "AUTH-849-A31",
+    "AUTH-849-A32",
+    "AUTH-849-A43",
+    "AUTH-849-A44",
+    "AUTH-849-A46",
+    "AUTH-849-A47",
+    "AUTH-849-A58",
+    "AUTH-849-A59",
+    "AUTH-925-A05",
+    "AUTH-925-A06",
+    "AUTH-925-A12",
+    "AUTH-986-A08",
+    "AUTH-986-A09",
+    "COMP-1264-A04",
+    "COMP-1904-A06",
+    "COMP-1904-A07",
+    "COMP-1960-A07",
+    "COMP-2129-A04",
+    "CRYP-1089-A02",
+    "CRYP-1210-A09",
+    "CRYP-1214-A04",
+    "CRYP-1299-A09",
+    "CRYP-1372-A05",
+    "CRYP-1433-A07",
+    "CRYP-1725-A02",
+    "CRYP-1750-A09",
+    "CRYP-1751-A10",
+    "CRYP-1751-A11",
+    "CRYP-1864-A05",
+    "CRYP-2142-A06",
+    "CRYP-2148-A06",
+    "CRYP-2179-A09",
+    "CRYP-2334",
+    "CRYP-637-A10",
+    "CRYP-713-A07",
+    "CRYP-738-A06",
+    "CRYP-790",
+    "DATA-1240-A08",
+    "DATA-2493-A12",
+    "DATA-2510-A07",
+    "DATA-2572",
+    "DATA-3376-A06",
+    "DATA-3649-A14",
+    "DATA-4225-A04",
+    "DATA-4317-A05",
+    "DATA-4666-A04",
+    "GOV-180-A06",
+    "GOV-180-A12",
+    "GOV-2076-A13",
+    "GOV-3110-A02",
+    "INC-946-A11",
+    "LOG-107-A02",
+    "LOG-1861-A06",
+    "MSG-003-A03",
+    "NET-1293-A02",
+    "NET-857-A06",
+    "NET-857-A12",
+    "NET-860-A09",
+    "SEC-052-A06",
+    "SEC-093-A05",
+    "SEC-093-A06",
+    "SEC-2643-A15",
+    "SEC-2738-A06",
+    "SEC-2809",
+    "SEC-2809-A02",
+    "SEC-2809-A05",
+    "SEC-2809-A09",
+    "SEC-3383-A03",
+    "SEC-3740-A03",
+    "SEC-3965-A02",
+    "SEC-3991",
+    "SEC-4292-A12",
+    "SEC-4295",
+    "SEC-4513-A07",
+    "SEC-4560-A03",
+    "SEC-5435-A03",
+    "SEC-5505-A05",
+    "SEC-5767-A01",
+    "SEC-6784-A08",
+    "SEC-6804-A01",
+    "SEC-6804-A02",
+    "SEC-6833-A07",
+    "SEC-6846-A05",
+    "SEC-6925-A10",
+    "SEC-7425-A04",
+    "SEC-7984-A07"
+   ],
+   "member_count": 292,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.83,
+    "source_meta_cluster": "M30",
+    "cluster_size": 13,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "merged_from": [
+    "secure_credential_deletion"
+   ]
+  },
+  {
+   "id": "credential_confidentiality_protection",
+   "name": "Vertraulichkeit von Authentifizierungsmaterial",
+   "description": "Authentifizierungsgeheimnisse, -daten und -material sind vor unbefugtem Zugriff, Offenlegung und Speicherung in Logs zu schuetzen.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(e)",
+     "citation": "protect the confidentiality of stored, transmitted or otherwise processed data"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V2",
+     "role": "best_practice"
+    },
+    {
+     "source": "Sichere Speicherung von Authentifizierungsgeheimnissen",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "credential_storage_hashing"
+    }
+   ],
+   "member_review_units": [
+    "M35",
+    "M122",
+    "M123",
+    "M15",
+    "M37",
+    "M84"
+   ],
+   "member_controls": [
+    "ACC-645-A13",
+    "ACC-645-A16",
+    "ACC-690-A02",
+    "AI-1351-A03",
+    "AUTH-036",
+    "AUTH-036-A10",
+    "AUTH-036-A13",
+    "AUTH-1099-A01",
+    "AUTH-1283-A03",
+    "AUTH-1286",
+    "AUTH-1295-A02",
+    "AUTH-1296",
+    "AUTH-1296-A01",
+    "AUTH-1300-A02",
+    "AUTH-1313-A02",
+    "AUTH-1437-A03",
+    "AUTH-1441-A07",
+    "AUTH-1441-A08",
+    "AUTH-1468-A02",
+    "AUTH-148-A11",
+    "AUTH-1524-A03",
+    "AUTH-1529-A10",
+    "AUTH-1535",
+    "AUTH-1535-A06",
+    "AUTH-1627",
+    "AUTH-1634",
+    "AUTH-1634-A01",
+    "AUTH-1640-A02",
+    "AUTH-1646",
+    "AUTH-1669",
+    "AUTH-1669-A01",
+    "AUTH-1669-A02",
+    "AUTH-1693",
+    "AUTH-1693-A01",
+    "AUTH-1694",
+    "AUTH-1694-A01",
+    "AUTH-1694-A02",
+    "AUTH-1721-A01",
+    "AUTH-1734-A02",
+    "AUTH-1747",
+    "AUTH-1817",
+    "AUTH-1819-A02",
+    "AUTH-1820",
+    "AUTH-1836-A02",
+    "AUTH-1858",
+    "AUTH-1865",
+    "AUTH-1865-A01",
+    "AUTH-1865-A08",
+    "AUTH-1877-A04",
+    "AUTH-1915",
+    "AUTH-1915-A01",
+    "AUTH-1919",
+    "AUTH-1949-A06",
+    "AUTH-2167-A01",
+    "AUTH-2317-A02",
+    "AUTH-2317-A06",
+    "AUTH-2333-A03",
+    "AUTH-2375-A05",
+    "AUTH-2416",
+    "AUTH-2416-A05",
+    "AUTH-2416-A08",
+    "AUTH-2419-A06",
+    "AUTH-2423",
+    "AUTH-2423-A04",
+    "AUTH-2425",
+    "AUTH-2430-A01",
+    "AUTH-2466-A08",
+    "AUTH-2466-A11",
+    "AUTH-2486",
+    "AUTH-2553-A12",
+    "AUTH-2650",
+    "AUTH-2650-A01",
+    "AUTH-2793-A01",
+    "AUTH-2805",
+    "AUTH-2805-A01",
+    "AUTH-2805-A02",
+    "AUTH-2805-A03",
+    "AUTH-2805-A04",
+    "AUTH-2805-A05",
+    "AUTH-2850-A02",
+    "AUTH-2850-A04",
+    "AUTH-2875-A02",
+    "AUTH-2886-A04",
+    "AUTH-2921",
+    "AUTH-2922-A06",
+    "AUTH-2923-A01",
+    "AUTH-2930-A07",
+    "AUTH-2933-A04",
+    "AUTH-2935",
+    "AUTH-2935-A08",
+    "AUTH-2937",
+    "AUTH-2937-A05",
+    "AUTH-2940",
+    "AUTH-2945",
+    "AUTH-2953",
+    "AUTH-2956",
+    "AUTH-2974-A03",
+    "AUTH-2975",
+    "AUTH-2995",
+    "AUTH-2996-A05",
+    "AUTH-3010",
+    "AUTH-3013-A10",
+    "AUTH-3016-A14",
+    "AUTH-3017-A07",
+    "AUTH-3018-A05",
+    "AUTH-3024-A03",
+    "AUTH-3074-A01",
+    "AUTH-3151-A04",
+    "AUTH-3255",
+    "AUTH-3255-A02",
+    "AUTH-3258-A02",
+    "AUTH-3258-A05",
+    "AUTH-3279",
+    "AUTH-3305",
+    "AUTH-3425-A03",
+    "AUTH-3430-A01",
+    "AUTH-3430-A02",
+    "AUTH-3550-A02",
+    "AUTH-3597-A01",
+    "AUTH-3643",
+    "AUTH-3645-A07",
+    "AUTH-3652",
+    "AUTH-3652-A01",
+    "AUTH-3652-A02",
+    "AUTH-3652-A03",
+    "AUTH-3652-A04",
+    "AUTH-3652-A09",
+    "AUTH-3672",
+    "AUTH-3751-A02",
+    "AUTH-3751-A04",
+    "AUTH-3865-A07",
+    "AUTH-3906-A14",
+    "AUTH-3908-A04",
+    "AUTH-3929",
+    "AUTH-3955-A07",
+    "AUTH-3958-A01",
+    "AUTH-3958-A06",
+    "AUTH-3984",
+    "AUTH-3984-A03",
+    "AUTH-3987",
+    "AUTH-3987-A02",
+    "AUTH-4050",
+    "AUTH-4121-A02",
+    "AUTH-577-A06",
+    "AUTH-592-A04",
+    "AUTH-625",
+    "AUTH-625-A01",
+    "AUTH-655",
+    "AUTH-655-A01",
+    "AUTH-655-A04",
+    "AUTH-655-A08",
+    "AUTH-655-A15",
+    "AUTH-670",
+    "AUTH-674-A03",
+    "AUTH-674-A04",
+    "AUTH-675-A03",
+    "AUTH-700-A03",
+    "AUTH-710-A02",
+    "AUTH-718",
+    "AUTH-732-A02",
+    "AUTH-732-A03",
+    "AUTH-734-A10",
+    "AUTH-748",
+    "AUTH-748-A02",
+    "AUTH-748-A04",
+    "AUTH-748-A09",
+    "AUTH-750",
+    "AUTH-763",
+    "AUTH-771-A02",
+    "AUTH-783",
+    "AUTH-784-A04",
+    "AUTH-784-A05",
+    "AUTH-784-A06",
+    "AUTH-789",
+    "AUTH-789-A01",
+    "AUTH-818-A08",
+    "AUTH-818-A14",
+    "AUTH-833-A04",
+    "AUTH-833-A09",
+    "AUTH-836-A03",
+    "AUTH-836-A10",
+    "AUTH-836-A14",
+    "AUTH-843-A05",
+    "AUTH-843-A14",
+    "AUTH-843-A23",
+    "AUTH-843-A33",
+    "AUTH-843-A43",
+    "AUTH-843-A50",
+    "AUTH-846-A05",
+    "AUTH-846-A14",
+    "AUTH-846-A24",
+    "AUTH-846-A34",
+    "AUTH-846-A43",
+    "AUTH-849-A02",
+    "AUTH-849-A04",
+    "AUTH-849-A11",
+    "AUTH-849-A13",
+    "AUTH-849-A18",
+    "AUTH-849-A20",
+    "AUTH-849-A35",
+    "AUTH-849-A37",
+    "AUTH-849-A50",
+    "AUTH-850",
+    "AUTH-850-A05",
+    "AUTH-850-A09",
+    "AUTH-850-A15",
+    "AUTH-850-A34",
+    "AUTH-919",
+    "AUTH-925-A02",
+    "AUTH-925-A09",
+    "AUTH-925-A17",
+    "AUTH-934",
+    "AUTH-934-A01",
+    "AUTH-934-A02",
+    "AUTH-934-A03",
+    "AUTH-934-A04",
+    "AUTH-934-A09",
+    "AUTH-934-A10",
+    "AUTH-934-A11",
+    "AUTH-934-A12",
+    "AUTH-934-A18",
+    "AUTH-934-A19",
+    "AUTH-934-A20",
+    "AUTH-934-A21",
+    "AUTH-934-A27",
+    "AUTH-934-A28",
+    "AUTH-934-A29",
+    "AUTH-934-A30",
+    "AUTH-934-A40",
+    "AUTH-934-A41",
+    "AUTH-934-A42",
+    "AUTH-934-A43",
+    "AUTH-987",
+    "AUTH-987-A01",
+    "AUTH-987-A23",
+    "AUTH-987-A24",
+    "COMP-1264",
+    "COMP-1735-A09",
+    "COMP-1745-A03",
+    "COMP-262-A01",
+    "COMP-2876-A05",
+    "COMP-3431-A02",
+    "COMP-3983",
+    "COMP-3983-A13",
+    "CRYP-1124",
+    "CRYP-1124-A01",
+    "CRYP-1124-A04",
+    "CRYP-1124-A08",
+    "CRYP-1134-A05",
+    "CRYP-1159-A02",
+    "CRYP-1239-A01",
+    "CRYP-1255",
+    "CRYP-1267",
+    "CRYP-1267-A02",
+    "CRYP-1271",
+    "CRYP-1336",
+    "CRYP-1336-A02",
+    "CRYP-1336-A06",
+    "CRYP-1421-A02",
+    "CRYP-1424-A03",
+    "CRYP-1434-A03",
+    "CRYP-1458-A06",
+    "CRYP-1460-A04",
+    "CRYP-1475",
+    "CRYP-1702-A03",
+    "CRYP-1712-A01",
+    "CRYP-1732-A01",
+    "CRYP-191-A02",
+    "CRYP-1927",
+    "CRYP-1942-A10",
+    "CRYP-2101-A02",
+    "CRYP-2173-A01",
+    "CRYP-2179",
+    "CRYP-224-A08",
+    "CRYP-2254-A04",
+    "CRYP-2363-A05",
+    "CRYP-780-A02",
+    "CRYP-873",
+    "CRYP-880-A04",
+    "DATA-4027-A02",
+    "DATA-720-A02",
+    "INC-971-A06",
+    "NET-004-A05",
+    "NET-004-A09",
+    "NET-004-A19",
+    "NET-104-A02",
+    "NET-104-A10",
+    "NET-1291-A16",
+    "NET-1293-A07",
+    "NET-1309-A01",
+    "NET-1343-A05",
+    "NET-1471-A01",
+    "NET-149-A01",
+    "NET-149-A11",
+    "NET-1856-A05",
+    "SEC-171-A16",
+    "SEC-171-A34",
+    "SEC-2035-A04",
+    "SEC-2153-A03",
+    "SEC-2809-A04",
+    "SEC-2853-A04",
+    "SEC-3195",
+    "SEC-3223",
+    "SEC-3223-A09",
+    "SEC-3643-A08",
+    "SEC-400-A04",
+    "SEC-400-A05",
+    "SEC-400-A21",
+    "SEC-400-A22",
+    "SEC-4561-A04",
+    "SEC-4966-A07",
+    "SEC-5610-A02",
+    "SEC-5780",
+    "SEC-6107-A02",
+    "SEC-8325"
+   ],
+   "member_count": 315,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.85,
+    "source_meta_cluster": "M122",
+    "cluster_size": 11,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "password_policy",
+   "name": "Passwort-Richtlinien und Mindestanforderungen",
+   "description": "Passwortbasierte Authentifizierung muss Mindestlaenge, Komplexitaet und initiale Vergabe gemaess Standard umsetzen.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "password",
+   "applicability": "conditional:password_based",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B 5.1.1",
+     "role": "best_practice"
+    },
+    {
+     "source": "Keine wissensbasierte Authentifizierung als Primaerfaktor",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "no_kba_primary"
+    }
+   ],
+   "member_review_units": [
+    "M26",
+    "M33",
+    "M87",
+    "M104",
+    "M128"
+   ],
+   "member_controls": [
+    "AUTH-001",
+    "AUTH-046",
+    "AUTH-1018-A02",
+    "AUTH-1018-A03",
+    "AUTH-1067",
+    "AUTH-1102-A02",
+    "AUTH-1102-A04",
+    "AUTH-1275",
+    "AUTH-1280",
+    "AUTH-1295-A06",
+    "AUTH-1303-A01",
+    "AUTH-1303-A02",
+    "AUTH-1310-A02",
+    "AUTH-1314",
+    "AUTH-1314-A01",
+    "AUTH-1316",
+    "AUTH-1426-A03",
+    "AUTH-1446-A01",
+    "AUTH-1525",
+    "AUTH-1529-A03",
+    "AUTH-1529-A07",
+    "AUTH-1649-A01",
+    "AUTH-1649-A03",
+    "AUTH-1649-A04",
+    "AUTH-1677-A03",
+    "AUTH-1682-A02",
+    "AUTH-1810-A04",
+    "AUTH-1896",
+    "AUTH-1896-A02",
+    "AUTH-1896-A03",
+    "AUTH-1896-A04",
+    "AUTH-1901-A03",
+    "AUTH-1919",
+    "AUTH-1949-A06",
+    "AUTH-2317-A06",
+    "AUTH-2368-A01",
+    "AUTH-2368-A02",
+    "AUTH-2368-A05",
+    "AUTH-2419-A04",
+    "AUTH-2419-A05",
+    "AUTH-2452-A01",
+    "AUTH-2452-A02",
+    "AUTH-2452-A03",
+    "AUTH-2452-A08",
+    "AUTH-2452-A09",
+    "AUTH-2461",
+    "AUTH-2461-A01",
+    "AUTH-2475-A04",
+    "AUTH-2689",
+    "AUTH-2689-A01",
+    "AUTH-2689-A03",
+    "AUTH-2689-A05",
+    "AUTH-2822-A02",
+    "AUTH-2822-A07",
+    "AUTH-2866-A02",
+    "AUTH-2873-A03",
+    "AUTH-2877",
+    "AUTH-2877-A02",
+    "AUTH-2886-A01",
+    "AUTH-2922-A06",
+    "AUTH-2923-A01",
+    "AUTH-2930-A01",
+    "AUTH-2930-A07",
+    "AUTH-2930-A08",
+    "AUTH-2937-A04",
+    "AUTH-2944-A12",
+    "AUTH-2946-A02",
+    "AUTH-2953",
+    "AUTH-2956-A04",
+    "AUTH-2963-A05",
+    "AUTH-2965-A05",
+    "AUTH-2968-A05",
+    "AUTH-2969-A01",
+    "AUTH-2978-A04",
+    "AUTH-2981-A07",
+    "AUTH-2982-A01",
+    "AUTH-2987",
+    "AUTH-2987-A08",
+    "AUTH-2987-A09",
+    "AUTH-2993",
+    "AUTH-2993-A04",
+    "AUTH-2996-A07",
+    "AUTH-3002-A06",
+    "AUTH-3011",
+    "AUTH-3011-A01",
+    "AUTH-3012",
+    "AUTH-3013-A04",
+    "AUTH-3013-A07",
+    "AUTH-3013-A10",
+    "AUTH-3015",
+    "AUTH-3015-A01",
+    "AUTH-3015-A02",
+    "AUTH-3017-A06",
+    "AUTH-3018",
+    "AUTH-3018-A04",
+    "AUTH-3064-A03",
+    "AUTH-3074-A01",
+    "AUTH-3151-A03",
+    "AUTH-3155-A02",
+    "AUTH-3155-A05",
+    "AUTH-3305-A01",
+    "AUTH-3454-A01",
+    "AUTH-3454-A05",
+    "AUTH-3454-A06",
+    "AUTH-3454-A07",
+    "AUTH-3460",
+    "AUTH-3460-A06",
+    "AUTH-3461",
+    "AUTH-3461-A01",
+    "AUTH-3461-A07",
+    "AUTH-3541-A02",
+    "AUTH-3541-A07",
+    "AUTH-3594",
+    "AUTH-3594-A01",
+    "AUTH-3594-A02",
+    "AUTH-3594-A07",
+    "AUTH-3596-A01",
+    "AUTH-3596-A07",
+    "AUTH-3635-A05",
+    "AUTH-3652-A05",
+    "AUTH-3652-A06",
+    "AUTH-3654-A02",
+    "AUTH-3705-A06",
+    "AUTH-3900",
+    "AUTH-3900-A01",
+    "AUTH-3900-A02",
+    "AUTH-3900-A05",
+    "AUTH-3906-A03",
+    "AUTH-3906-A04",
+    "AUTH-3946-A01",
+    "AUTH-3955-A02",
+    "AUTH-3955-A03",
+    "AUTH-3963-A01",
+    "AUTH-3963-A02",
+    "AUTH-3969",
+    "AUTH-3969-A02",
+    "AUTH-3982-A01",
+    "AUTH-3984-A06",
+    "AUTH-3988-A04",
+    "AUTH-3999-A04",
+    "AUTH-4035-A01",
+    "AUTH-4069-A02",
+    "AUTH-4072-A13",
+    "AUTH-4076",
+    "AUTH-4079-A04",
+    "AUTH-4123-A02",
+    "AUTH-4130-A02",
+    "AUTH-520-A04",
+    "AUTH-538",
+    "AUTH-551",
+    "AUTH-551-A02",
+    "AUTH-559-A17",
+    "AUTH-616-A04",
+    "AUTH-616-A14",
+    "AUTH-616-A17",
+    "AUTH-648",
+    "AUTH-680-A04",
+    "AUTH-750",
+    "AUTH-754-A05",
+    "AUTH-754-A07",
+    "AUTH-754-A12",
+    "AUTH-763-A06",
+    "AUTH-766-A06",
+    "AUTH-769-A07",
+    "AUTH-774-A03",
+    "AUTH-775-A06",
+    "AUTH-803-A02",
+    "AUTH-807-A04",
+    "AUTH-813",
+    "AUTH-825",
+    "AUTH-827",
+    "AUTH-827-A10",
+    "AUTH-831-A03",
+    "AUTH-831-A05",
+    "AUTH-836-A03",
+    "AUTH-836-A10",
+    "AUTH-836-A14",
+    "AUTH-849-A02",
+    "AUTH-849-A11",
+    "AUTH-849-A18",
+    "AUTH-849-A35",
+    "AUTH-849-A50",
+    "AUTH-850-A05",
+    "AUTH-850-A15",
+    "AUTH-850-A34",
+    "AUTH-851-A16",
+    "AUTH-855-A01",
+    "AUTH-855-A16",
+    "AUTH-855-A31",
+    "AUTH-855-A46",
+    "AUTH-855-A47",
+    "AUTH-855-A61",
+    "AUTH-867-A20",
+    "AUTH-939",
+    "AUTH-939-A01",
+    "AUTH-939-A02",
+    "AUTH-939-A09",
+    "AUTH-939-A19",
+    "AUTH-939-A26",
+    "AUTH-939-A31",
+    "AUTH-939-A42",
+    "BND-002-A02",
+    "BND-002-A04",
+    "BND-002-A06",
+    "BND-002-A08",
+    "COMP-1960-A01",
+    "COMP-2780-A04",
+    "COMP-3431-A02",
+    "CRYP-1079-A07",
+    "CRYP-1079-A08",
+    "CRYP-1359-A05",
+    "CRYP-1652-A09",
+    "CRYP-1700-A02",
+    "CRYP-1751-A02",
+    "CRYP-1819-A01",
+    "CRYP-1927-A06",
+    "CRYP-2287",
+    "CRYP-2301-A06",
+    "CRYP-2315-A06",
+    "CRYP-2355-A01",
+    "CRYP-626-A05",
+    "CRYP-876-A06",
+    "DATA-2662-A05",
+    "DATA-3154-A06",
+    "DATA-3613-A02",
+    "DATA-3613-A04",
+    "DATA-3614-A02",
+    "GIA-002-A10",
+    "GOV-3868-A11",
+    "LOG-967",
+    "LOG-967-A01",
+    "LOG-967-A03",
+    "LOG-967-A05",
+    "NET-1243-A05",
+    "NET-1633-A02",
+    "NET-822-A10",
+    "SEC-2445-A01",
+    "SEC-3157-A03",
+    "SEC-3223-A04",
+    "SEC-3643-A07",
+    "SEC-4566-A04",
+    "SEC-4966-A04",
+    "SEC-5640-A04",
+    "SEC-5792-A01",
+    "SEC-5915-A05",
+    "SEC-7793-A05",
+    "SEC-7984",
+    "SEC-7984-A01",
+    "SEC-7984-A04",
+    "SEC-7984-A08",
+    "SEC-8825-A04",
+    "SEC-8825-A05",
+    "SEC-9065-A01"
+   ],
+   "member_count": 253,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M87",
+    "cluster_size": 22,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "no_default_credentials",
+   "name": "Keine Standard-/Default-Credentials",
+   "description": "Standardpasswoerter und Default-Credentials muessen geaendert/deaktiviert werden; keine Auslieferung mit fest eingestellten Zugangsdaten.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "password",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(a)",
+     "citation": "be made available with a secure by default configuration"
+    }
+   ],
+   "guidance_basis": [],
+   "member_review_units": [
+    "M104"
+   ],
+   "member_controls": [
+    "AUTH-3017-A06",
+    "AUTH-3654-A02",
+    "AUTH-3969",
+    "AUTH-4123-A02",
+    "COMP-1960-A01",
+    "CRYP-1079-A07",
+    "NET-822-A10",
+    "SEC-3223-A04",
+    "SEC-4966-A04"
+   ],
+   "member_count": 9,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M104",
+    "cluster_size": 9,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "account_lockout_failed_attempts",
+   "name": "Account-Sperrung nach fehlgeschlagenen Versuchen",
+   "description": "Nach wiederholten fehlgeschlagenen Authentifizierungsversuchen sind Lockout-/Rate-Limit-Massnahmen umzusetzen, inkl. biometrischer Versuchszaehlung.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V2.2",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M43",
+    "M33",
+    "M3",
+    "M88"
+   ],
+   "member_controls": [
+    "ACC-0383-A06",
+    "ACC-0384-A02",
+    "ACC-0384-A03",
+    "ACC-082-A06",
+    "ACC-082-A07",
+    "ACC-082-A15",
+    "ACC-082-A16",
+    "ACC-320",
+    "ACC-320-A01",
+    "ACC-320-A02",
+    "ACC-320-A03",
+    "ACC-320-A04",
+    "ACC-320-A06",
+    "ACC-320-A09",
+    "ACC-320-A10",
+    "ACC-320-A11",
+    "ACC-320-A12",
+    "ACC-320-A13",
+    "ACC-320-A17",
+    "ACC-320-A19",
+    "ACC-320-A20",
+    "ACC-320-A21",
+    "ACC-320-A26",
+    "ACC-320-A28",
+    "ACC-320-A29",
+    "ACC-320-A35",
+    "ACC-320-A36",
+    "ACC-320-A37",
+    "ACC-320-A38",
+    "ACC-320-A41",
+    "ACC-320-A42",
+    "ACC-320-A43",
+    "ACC-320-A44",
+    "ACC-320-A45",
+    "ACC-327-A18",
+    "ACC-327-A60",
+    "ACC-427",
+    "ACC-427-A01",
+    "ACC-427-A02",
+    "ACC-427-A03",
+    "ACC-427-A11",
+    "ACC-427-A12",
+    "ACC-490-A04",
+    "ACC-490-A09",
+    "ACC-499-A05",
+    "ACC-504-A09",
+    "ACC-518-A06",
+    "ACC-567-A10",
+    "ACC-584-A05",
+    "ACC-673-A10",
+    "ACC-741-A03",
+    "ACL-004-A04",
+    "AI-052-A26",
+    "AI-052-A27",
+    "AI-1012-A03",
+    "AI-1012-A04",
+    "AI-1012-A05",
+    "AI-1012-A07",
+    "AI-1027-A07",
+    "AI-1236-A04",
+    "AI-1408-A01",
+    "AI-1417-A06",
+    "AI-1660-A12",
+    "AI-1715-A08",
+    "AI-997-A01",
+    "AUTH-018",
+    "AUTH-018-A18",
+    "AUTH-032",
+    "AUTH-043",
+    "AUTH-045",
+    "AUTH-047-A02",
+    "AUTH-067-A12",
+    "AUTH-088-A01",
+    "AUTH-088-A02",
+    "AUTH-1004-A01",
+    "AUTH-1008",
+    "AUTH-1009-A01",
+    "AUTH-1009-A03",
+    "AUTH-1011-A01",
+    "AUTH-1026",
+    "AUTH-1026-A01",
+    "AUTH-1048-A03",
+    "AUTH-1048-A69",
+    "AUTH-1087-A04",
+    "AUTH-1093-A03",
+    "AUTH-1102-A02",
+    "AUTH-1102-A04",
+    "AUTH-1102-A08",
+    "AUTH-1110-A03",
+    "AUTH-1135-A03",
+    "AUTH-1135-A04",
+    "AUTH-1168-A02",
+    "AUTH-1168-A03",
+    "AUTH-1280",
+    "AUTH-1283-A02",
+    "AUTH-1293",
+    "AUTH-1295-A06",
+    "AUTH-1296-A05",
+    "AUTH-1298-A02",
+    "AUTH-1298-A03",
+    "AUTH-1299-A05",
+    "AUTH-1303-A03",
+    "AUTH-1311-A02",
+    "AUTH-1313-A01",
+    "AUTH-1316",
+    "AUTH-1426-A03",
+    "AUTH-1426-A05",
+    "AUTH-1426-A06",
+    "AUTH-1437",
+    "AUTH-1437-A01",
+    "AUTH-1437-A02",
+    "AUTH-1437-A06",
+    "AUTH-1445-A04",
+    "AUTH-1448-A01",
+    "AUTH-1455",
+    "AUTH-1455-A01",
+    "AUTH-1455-A07",
+    "AUTH-1463-A02",
+    "AUTH-1464-A04",
+    "AUTH-1464-A05",
+    "AUTH-1464-A07",
+    "AUTH-1466-A04",
+    "AUTH-1466-A08",
+    "AUTH-1522-A04",
+    "AUTH-1524",
+    "AUTH-1524-A01",
+    "AUTH-1524-A02",
+    "AUTH-1525",
+    "AUTH-1529-A03",
+    "AUTH-1529-A06",
+    "AUTH-1529-A07",
+    "AUTH-1535-A02",
+    "AUTH-1538-A01",
+    "AUTH-1538-A10",
+    "AUTH-1576-A01",
+    "AUTH-1579-A01",
+    "AUTH-1623-A04",
+    "AUTH-1623-A07",
+    "AUTH-1623-A08",
+    "AUTH-1624-A11",
+    "AUTH-1633-A01",
+    "AUTH-1634-A06",
+    "AUTH-1635-A06",
+    "AUTH-1640-A01",
+    "AUTH-1640-A03",
+    "AUTH-1649-A04",
+    "AUTH-1652-A07",
+    "AUTH-1654",
+    "AUTH-1654-A01",
+    "AUTH-1654-A02",
+    "AUTH-1654-A03",
+    "AUTH-1654-A05",
+    "AUTH-1666-A04",
+    "AUTH-1669-A07",
+    "AUTH-1673-A08",
+    "AUTH-1675-A07",
+    "AUTH-1677-A03",
+    "AUTH-1678-A02",
+    "AUTH-1678-A07",
+    "AUTH-1682-A02",
+    "AUTH-1694-A06",
+    "AUTH-1695",
+    "AUTH-1701-A09",
+    "AUTH-1702-A03",
+    "AUTH-1706-A05",
+    "AUTH-1706-A09",
+    "AUTH-1709-A05",
+    "AUTH-1711-A02",
+    "AUTH-1711-A04",
+    "AUTH-1711-A07",
+    "AUTH-1711-A10",
+    "AUTH-1720-A08",
+    "AUTH-1721-A03",
+    "AUTH-1752-A05",
+    "AUTH-1752-A10",
+    "AUTH-1753-A05",
+    "AUTH-1753-A07",
+    "AUTH-1806",
+    "AUTH-1808-A07",
+    "AUTH-1809",
+    "AUTH-1809-A02",
+    "AUTH-1809-A06",
+    "AUTH-1810",
+    "AUTH-1810-A01",
+    "AUTH-1810-A04",
+    "AUTH-1810-A06",
+    "AUTH-1812",
+    "AUTH-1812-A01",
+    "AUTH-1812-A02",
+    "AUTH-1814-A01",
+    "AUTH-1820-A04",
+    "AUTH-1820-A06",
+    "AUTH-1823",
+    "AUTH-1823-A01",
+    "AUTH-1823-A02",
+    "AUTH-1827-A04",
+    "AUTH-1829-A01",
+    "AUTH-1830-A02",
+    "AUTH-1830-A03",
+    "AUTH-1830-A06",
+    "AUTH-1830-A08",
+    "AUTH-1831-A05",
+    "AUTH-1835-A08",
+    "AUTH-1839-A05",
+    "AUTH-1843-A07",
+    "AUTH-1843-A08",
+    "AUTH-1843-A09",
+    "AUTH-1859",
+    "AUTH-1877-A06",
+    "AUTH-1877-A08",
+    "AUTH-1896-A04",
+    "AUTH-1909-A02",
+    "AUTH-1909-A07",
+    "AUTH-1909-A08",
+    "AUTH-1910-A11",
+    "AUTH-1911-A01",
+    "AUTH-1911-A05",
+    "AUTH-1913",
+    "AUTH-1915-A03",
+    "AUTH-1915-A08",
+    "AUTH-1916-A01",
+    "AUTH-1916-A05",
+    "AUTH-1917-A04",
+    "AUTH-1917-A08",
+    "AUTH-1931-A05",
+    "AUTH-1933",
+    "AUTH-1935",
+    "AUTH-1936-A11",
+    "AUTH-1943-A07",
+    "AUTH-1944",
+    "AUTH-1944-A01",
+    "AUTH-1945-A07",
+    "AUTH-1945-A09",
+    "AUTH-1946-A04",
+    "AUTH-1947-A07",
+    "AUTH-1952",
+    "AUTH-1952-A02",
+    "AUTH-1952-A03",
+    "AUTH-1952-A05",
+    "AUTH-1952-A06",
+    "AUTH-1952-A07",
+    "AUTH-1952-A08",
+    "AUTH-1959",
+    "AUTH-1959-A02",
+    "AUTH-1959-A04",
+    "AUTH-1959-A05",
+    "AUTH-1959-A06",
+    "AUTH-1959-A08",
+    "AUTH-2280",
+    "AUTH-2280-A01",
+    "AUTH-2331-A08",
+    "AUTH-2333-A01",
+    "AUTH-2333-A02",
+    "AUTH-2338-A04",
+    "AUTH-2338-A06",
+    "AUTH-2345-A03",
+    "AUTH-2345-A04",
+    "AUTH-2368-A03",
+    "AUTH-2368-A05",
+    "AUTH-2372-A01",
+    "AUTH-2382-A01",
+    "AUTH-2399",
+    "AUTH-2399-A04",
+    "AUTH-2403",
+    "AUTH-2403-A03",
+    "AUTH-2403-A06",
+    "AUTH-2405-A05",
+    "AUTH-2411",
+    "AUTH-2413",
+    "AUTH-2413-A01",
+    "AUTH-2413-A03",
+    "AUTH-2416-A01",
+    "AUTH-2416-A03",
+    "AUTH-2417-A04",
+    "AUTH-2417-A11",
+    "AUTH-2417-A13",
+    "AUTH-2419-A04",
+    "AUTH-2419-A05",
+    "AUTH-2421-A03",
+    "AUTH-2444-A01",
+    "AUTH-2444-A07",
+    "AUTH-2444-A08",
+    "AUTH-2451-A04",
+    "AUTH-2464-A03",
+    "AUTH-2660-A02",
+    "AUTH-2678",
+    "AUTH-2678-A01",
+    "AUTH-2779",
+    "AUTH-2781-A03",
+    "AUTH-2801",
+    "AUTH-2801-A03",
+    "AUTH-2817",
+    "AUTH-2851",
+    "AUTH-2852",
+    "AUTH-2866-A02",
+    "AUTH-2866-A03",
+    "AUTH-2873-A01",
+    "AUTH-2873-A05",
+    "AUTH-2873-A07",
+    "AUTH-2875-A01",
+    "AUTH-2877",
+    "AUTH-2877-A01",
+    "AUTH-2877-A02",
+    "AUTH-2877-A05",
+    "AUTH-2880-A01",
+    "AUTH-2883",
+    "AUTH-2883-A01",
+    "AUTH-2883-A02",
+    "AUTH-2906-A01",
+    "AUTH-2906-A08",
+    "AUTH-2921-A12",
+    "AUTH-2935-A06",
+    "AUTH-2939-A04",
+    "AUTH-2943-A01",
+    "AUTH-2943-A08",
+    "AUTH-2946",
+    "AUTH-2946-A02",
+    "AUTH-2949-A06",
+    "AUTH-2949-A09",
+    "AUTH-2958-A07",
+    "AUTH-2959-A03",
+    "AUTH-2960-A08",
+    "AUTH-2963-A05",
+    "AUTH-2964",
+    "AUTH-2966-A04",
+    "AUTH-2967-A05",
+    "AUTH-2970-A02",
+    "AUTH-2970-A03",
+    "AUTH-2970-A05",
+    "AUTH-2970-A07",
+    "AUTH-2970-A08",
+    "AUTH-2980",
+    "AUTH-2981-A08",
+    "AUTH-2984",
+    "AUTH-2987",
+    "AUTH-2987-A06",
+    "AUTH-2987-A08",
+    "AUTH-2989-A01",
+    "AUTH-2993-A03",
+    "AUTH-2993-A04",
+    "AUTH-2996-A07",
+    "AUTH-3002-A04",
+    "AUTH-3002-A06",
+    "AUTH-3007-A03",
+    "AUTH-3008-A02",
+    "AUTH-3011",
+    "AUTH-3011-A06",
+    "AUTH-3013-A02",
+    "AUTH-3016",
+    "AUTH-3016-A15",
+    "AUTH-3016-A16",
+    "AUTH-3018",
+    "AUTH-3021-A04",
+    "AUTH-3025",
+    "AUTH-3045",
+    "AUTH-3045-A01",
+    "AUTH-3045-A02",
+    "AUTH-3045-A03",
+    "AUTH-3064-A03",
+    "AUTH-3065-A02",
+    "AUTH-3065-A03",
+    "AUTH-3065-A04",
+    "AUTH-3071-A01",
+    "AUTH-3071-A04",
+    "AUTH-3071-A09",
+    "AUTH-3073",
+    "AUTH-3073-A02",
+    "AUTH-3073-A03",
+    "AUTH-3073-A05",
+    "AUTH-3075-A01",
+    "AUTH-3075-A02",
+    "AUTH-3150",
+    "AUTH-3150-A01",
+    "AUTH-3150-A04",
+    "AUTH-3150-A07",
+    "AUTH-3150-A09",
+    "AUTH-3151",
+    "AUTH-3151-A01",
+    "AUTH-3151-A05",
+    "AUTH-3151-A06",
+    "AUTH-3151-A07",
+    "AUTH-3151-A10",
+    "AUTH-3151-A11",
+    "AUTH-3154",
+    "AUTH-3154-A01",
+    "AUTH-3154-A02",
+    "AUTH-3154-A08",
+    "AUTH-3155",
+    "AUTH-3155-A04",
+    "AUTH-3155-A05",
+    "AUTH-3161-A04",
+    "AUTH-3164-A02",
+    "AUTH-3164-A05",
+    "AUTH-3164-A07",
+    "AUTH-3164-A12",
+    "AUTH-3166-A01",
+    "AUTH-3166-A02",
+    "AUTH-3170",
+    "AUTH-3170-A01",
+    "AUTH-3170-A02",
+    "AUTH-3230-A01",
+    "AUTH-3279-A03",
+    "AUTH-3305-A04",
+    "AUTH-3314-A01",
+    "AUTH-3314-A02",
+    "AUTH-3314-A03",
+    "AUTH-3394-A04",
+    "AUTH-3396-A04",
+    "AUTH-3399",
+    "AUTH-3399-A03",
+    "AUTH-3454-A01",
+    "AUTH-3454-A05",
+    "AUTH-3454-A06",
+    "AUTH-3454-A07",
+    "AUTH-3460-A02",
+    "AUTH-3460-A05",
+    "AUTH-3460-A07",
+    "AUTH-3460-A08",
+    "AUTH-3461-A02",
+    "AUTH-3461-A06",
+    "AUTH-3541-A05",
+    "AUTH-3545",
+    "AUTH-3547-A01",
+    "AUTH-3548-A02",
+    "AUTH-3549",
+    "AUTH-3552-A03",
+    "AUTH-3552-A05",
+    "AUTH-3554-A03",
+    "AUTH-3556-A03",
+    "AUTH-3558-A04",
+    "AUTH-3562-A04",
+    "AUTH-3595-A01",
+    "AUTH-3596-A06",
+    "AUTH-3597",
+    "AUTH-3597-A03",
+    "AUTH-3597-A04",
+    "AUTH-3597-A05",
+    "AUTH-3599-A02",
+    "AUTH-3624",
+    "AUTH-3624-A01",
+    "AUTH-3624-A02",
+    "AUTH-3633-A02",
+    "AUTH-3641",
+    "AUTH-3641-A01",
+    "AUTH-3641-A08",
+    "AUTH-3656-A08",
+    "AUTH-3656-A09",
+    "AUTH-3656-A12",
+    "AUTH-3656-A13",
+    "AUTH-3677-A06",
+    "AUTH-3825-A01",
+    "AUTH-3825-A06",
+    "AUTH-384-A07",
+    "AUTH-384-A10",
+    "AUTH-3887-A07",
+    "AUTH-3922",
+    "AUTH-3935",
+    "AUTH-3935-A10",
+    "AUTH-3935-A11",
+    "AUTH-3935-A12",
+    "AUTH-3935-A13",
+    "AUTH-3935-A14",
+    "AUTH-3935-A15",
+    "AUTH-3935-A16",
+    "AUTH-3935-A17",
+    "AUTH-3935-A18",
+    "AUTH-3935-A19",
+    "AUTH-3951-A06",
+    "AUTH-3951-A07",
+    "AUTH-3955-A01",
+    "AUTH-3955-A02",
+    "AUTH-3955-A03",
+    "AUTH-3960-A02",
+    "AUTH-3960-A03",
+    "AUTH-3960-A04",
+    "AUTH-3960-A05",
+    "AUTH-3964-A06",
+    "AUTH-3984-A06",
+    "AUTH-3988-A04",
+    "AUTH-3993-A01",
+    "AUTH-3993-A03",
+    "AUTH-3999-A04",
+    "AUTH-4007-A06",
+    "AUTH-4028-A05",
+    "AUTH-4031-A07",
+    "AUTH-4043",
+    "AUTH-4043-A06",
+    "AUTH-4043-A08",
+    "AUTH-4054-A07",
+    "AUTH-4130-A02",
+    "AUTH-4135",
+    "AUTH-4135-A03",
+    "AUTH-497",
+    "AUTH-497-A03",
+    "AUTH-505-A04",
+    "AUTH-530-A01",
+    "AUTH-530-A05",
+    "AUTH-530-A08",
+    "AUTH-530-A11",
+    "AUTH-532-A02",
+    "AUTH-538-A06",
+    "AUTH-548",
+    "AUTH-548-A01",
+    "AUTH-548-A03",
+    "AUTH-559",
+    "AUTH-559-A01",
+    "AUTH-559-A03",
+    "AUTH-559-A05",
+    "AUTH-559-A09",
+    "AUTH-559-A12",
+    "AUTH-559-A17",
+    "AUTH-577",
+    "AUTH-577-A05",
+    "AUTH-582",
+    "AUTH-582-A01",
+    "AUTH-584",
+    "AUTH-584-A01",
+    "AUTH-584-A02",
+    "AUTH-584-A08",
+    "AUTH-584-A09",
+    "AUTH-586-A03",
+    "AUTH-586-A04",
+    "AUTH-592",
+    "AUTH-592-A02",
+    "AUTH-595",
+    "AUTH-595-A05",
+    "AUTH-610",
+    "AUTH-610-A06",
+    "AUTH-615",
+    "AUTH-615-A01",
+    "AUTH-615-A02",
+    "AUTH-615-A03",
+    "AUTH-615-A04",
+    "AUTH-615-A05",
+    "AUTH-616",
+    "AUTH-616-A01",
+    "AUTH-616-A02",
+    "AUTH-616-A03",
+    "AUTH-616-A04",
+    "AUTH-616-A05",
+    "AUTH-616-A06",
+    "AUTH-616-A12",
+    "AUTH-616-A13",
+    "AUTH-616-A14",
+    "AUTH-617",
+    "AUTH-623",
+    "AUTH-623-A01",
+    "AUTH-623-A02",
+    "AUTH-623-A03",
+    "AUTH-623-A04",
+    "AUTH-623-A05",
+    "AUTH-623-A06",
+    "AUTH-637-A08",
+    "AUTH-637-A09",
+    "AUTH-637-A30",
+    "AUTH-646-A04",
+    "AUTH-655-A10",
+    "AUTH-655-A11",
+    "AUTH-674",
+    "AUTH-674-A02",
+    "AUTH-680-A04",
+    "AUTH-694",
+    "AUTH-694-A02",
+    "AUTH-694-A03",
+    "AUTH-700-A02",
+    "AUTH-710-A03",
+    "AUTH-710-A04",
+    "AUTH-710-A05",
+    "AUTH-732-A04",
+    "AUTH-732-A05",
+    "AUTH-745",
+    "AUTH-745-A01",
+    "AUTH-745-A05",
+    "AUTH-748-A05",
+    "AUTH-748-A06",
+    "AUTH-748-A10",
+    "AUTH-748-A11",
+    "AUTH-752",
+    "AUTH-752-A01",
+    "AUTH-752-A07",
+    "AUTH-754-A05",
+    "AUTH-754-A07",
+    "AUTH-754-A12",
+    "AUTH-766-A06",
+    "AUTH-769-A07",
+    "AUTH-775-A10",
+    "AUTH-782-A06",
+    "AUTH-784-A03",
+    "AUTH-785",
+    "AUTH-785-A01",
+    "AUTH-795-A02",
+    "AUTH-803-A05",
+    "AUTH-803-A07",
+    "AUTH-804-A06",
+    "AUTH-818-A02",
+    "AUTH-822-A04",
+    "AUTH-822-A05",
+    "AUTH-825-A05",
+    "AUTH-828-A05",
+    "AUTH-828-A09",
+    "AUTH-828-A10",
+    "AUTH-831-A03",
+    "AUTH-831-A05",
+    "AUTH-836-A04",
+    "AUTH-836-A05",
+    "AUTH-836-A07",
+    "AUTH-836-A11",
+    "AUTH-836-A16",
+    "AUTH-838-A10",
+    "AUTH-838-A11",
+    "AUTH-838-A17",
+    "AUTH-838-A18",
+    "AUTH-838-A26",
+    "AUTH-838-A27",
+    "AUTH-838-A36",
+    "AUTH-838-A37",
+    "AUTH-838-A44",
+    "AUTH-838-A45",
+    "AUTH-844-A03",
+    "AUTH-844-A12",
+    "AUTH-844-A20",
+    "AUTH-844-A27",
+    "AUTH-844-A36",
+    "AUTH-845-A01",
+    "AUTH-845-A06",
+    "AUTH-845-A13",
+    "AUTH-845-A18",
+    "AUTH-845-A24",
+    "AUTH-845-A27",
+    "AUTH-845-A38",
+    "AUTH-845-A45",
+    "AUTH-845-A50",
+    "AUTH-845-A54",
+    "AUTH-846-A03",
+    "AUTH-846-A12",
+    "AUTH-846-A22",
+    "AUTH-846-A32",
+    "AUTH-846-A41",
+    "AUTH-850-A19",
+    "AUTH-850-A29",
+    "AUTH-850-A38",
+    "AUTH-850-A46",
+    "AUTH-851-A01",
+    "AUTH-851-A02",
+    "AUTH-851-A16",
+    "AUTH-851-A46",
+    "AUTH-867-A20",
+    "AUTH-885-A03",
+    "AUTH-885-A10",
+    "AUTH-885-A17",
+    "AUTH-885-A22",
+    "AUTH-885-A31",
+    "AUTH-888-A30",
+    "AUTH-888-A37",
+    "AUTH-894-A06",
+    "AUTH-894-A11",
+    "AUTH-894-A12",
+    "AUTH-902-A01",
+    "AUTH-902-A11",
+    "AUTH-902-A17",
+    "AUTH-905-A04",
+    "AUTH-905-A09",
+    "AUTH-905-A14",
+    "AUTH-905-A17",
+    "AUTH-905-A22",
+    "AUTH-909-A02",
+    "AUTH-909-A12",
+    "AUTH-909-A22",
+    "AUTH-909-A32",
+    "AUTH-909-A42",
+    "AUTH-913-A05",
+    "AUTH-917",
+    "AUTH-917-A01",
+    "AUTH-917-A04",
+    "AUTH-917-A05",
+    "AUTH-917-A06",
+    "AUTH-917-A09",
+    "AUTH-917-A10",
+    "AUTH-917-A11",
+    "AUTH-917-A14",
+    "AUTH-917-A15",
+    "AUTH-917-A16",
+    "AUTH-917-A17",
+    "AUTH-917-A20",
+    "AUTH-917-A21",
+    "AUTH-917-A22",
+    "AUTH-917-A24",
+    "AUTH-917-A25",
+    "AUTH-917-A26",
+    "AUTH-922-A02",
+    "AUTH-922-A08",
+    "AUTH-928-A07",
+    "AUTH-928-A13",
+    "AUTH-928-A19",
+    "AUTH-928-A25",
+    "AUTH-928-A30",
+    "AUTH-932",
+    "AUTH-937-A01",
+    "AUTH-937-A08",
+    "AUTH-937-A15",
+    "AUTH-937-A22",
+    "AUTH-937-A29",
+    "AUTH-938-A01",
+    "AUTH-938-A02",
+    "AUTH-938-A03",
+    "AUTH-938-A08",
+    "AUTH-938-A09",
+    "AUTH-938-A10",
+    "AUTH-938-A13",
+    "AUTH-938-A14",
+    "AUTH-938-A19",
+    "AUTH-938-A20",
+    "AUTH-938-A21",
+    "AUTH-938-A26",
+    "AUTH-938-A27",
+    "AUTH-938-A28",
+    "AUTH-938-A36",
+    "AUTH-938-A37",
+    "AUTH-938-A38",
+    "AUTH-941-A04",
+    "AUTH-941-A05",
+    "AUTH-941-A10",
+    "AUTH-941-A11",
+    "AUTH-941-A17",
+    "AUTH-941-A18",
+    "AUTH-941-A23",
+    "AUTH-941-A24",
+    "AUTH-953",
+    "AUTH-953-A06",
+    "AUTH-954-A15",
+    "AUTH-960",
+    "AUTH-974-A07",
+    "AUTH-976-A07",
+    "AUTH-988-A09",
+    "AUTH-988-A20",
+    "AUTH-989-A18",
+    "AUTH-995-A05",
+    "AUTH-995-A85",
+    "AUTH-996-A04",
+    "AUTH-996-A17",
+    "BND-002-A02",
+    "BND-002-A04",
+    "BND-002-A06",
+    "BND-002-A08",
+    "COMP-1264-A01",
+    "COMP-1264-A02",
+    "COMP-1264-A05",
+    "COMP-1883-A03",
+    "COMP-1904-A04",
+    "COMP-1904-A05",
+    "COMP-1948",
+    "COMP-1948-A02",
+    "COMP-1960-A06",
+    "COMP-1960-A09",
+    "COMP-2029-A04",
+    "COMP-2131-A09",
+    "COMP-2639-A04",
+    "COMP-3435-A05",
+    "COMP-3602",
+    "COMP-3602-A01",
+    "COMP-3602-A08",
+    "COMP-3602-A10",
+    "COMP-3733-A03",
+    "COMP-3983-A02",
+    "COMP-3983-A04",
+    "COMP-3983-A12",
+    "CRYP-1097-A09",
+    "CRYP-1124-A05",
+    "CRYP-1141-A09",
+    "CRYP-1306-A07",
+    "CRYP-1386-A08",
+    "CRYP-1391-A05",
+    "CRYP-1393-A03",
+    "CRYP-1466-A03",
+    "CRYP-1466-A05",
+    "CRYP-1712-A15",
+    "CRYP-1864",
+    "CRYP-1864-A02",
+    "CRYP-191",
+    "CRYP-1983-A01",
+    "CRYP-2287",
+    "CRYP-2287-A01",
+    "CRYP-2287-A12",
+    "CRYP-2301-A06",
+    "CRYP-447-A16",
+    "CRYP-447-A20",
+    "CRYP-450-A05",
+    "CRYP-450-A06",
+    "CRYP-450-A40",
+    "CRYP-450-A52",
+    "CRYP-450-A53",
+    "CRYP-626",
+    "CRYP-626-A05",
+    "CRYP-671-A01",
+    "CRYP-671-A02",
+    "CRYP-876-A06",
+    "DATA-1191-A10",
+    "DATA-1257-A05",
+    "DATA-1257-A09",
+    "DATA-1801-A06",
+    "DATA-260-A02",
+    "DATA-260-A08",
+    "DATA-2607-A05",
+    "DATA-2648-A01",
+    "DATA-2662-A05",
+    "DATA-2663-A04",
+    "DATA-3292-A01",
+    "DATA-3401-A01",
+    "DATA-3613-A01",
+    "DATA-3754-A03",
+    "DATA-598-A05",
+    "DATA-598-A06",
+    "DATA-972-A06",
+    "DATA-972-A12",
+    "FIN-1223-A06",
+    "GOV-1562-A05",
+    "GOV-1700-A01",
+    "GOV-1732-A01",
+    "GOV-1733-A04",
+    "GOV-3902-A01",
+    "GOV-413-A18",
+    "GOV-519",
+    "GOV-519-A11",
+    "GOV-519-A35",
+    "GOV-520-A40",
+    "IAM-008",
+    "IDA-008-A01",
+    "IDA-008-A04",
+    "IDF-004-A02",
+    "IDF-010",
+    "IDF-010-A01",
+    "INC-946-A06",
+    "LGM-001-A09",
+    "LOG-053-A07",
+    "LOG-1742-A05",
+    "LOG-1742-A08",
+    "LOG-1742-A13",
+    "LOG-1748-A01",
+    "LOG-1767-A02",
+    "LOG-705-A01",
+    "LOG-735-A17",
+    "LOG-735-A18",
+    "LOG-745-A44",
+    "LOG-745-A54",
+    "LOG-774-A01",
+    "LOG-774-A15",
+    "LOG-774-A22",
+    "LOG-774-A29",
+    "MIA-001",
+    "NET-1014-A03",
+    "NET-1014-A04",
+    "NET-1633-A02",
+    "NET-351",
+    "NET-351-A01",
+    "NET-351-A02",
+    "NET-351-A06",
+    "NET-351-A07",
+    "NET-391",
+    "NET-391-A01",
+    "NET-391-A08",
+    "NET-405",
+    "NET-405-A03",
+    "NET-405-A08",
+    "NET-405-A09",
+    "NET-506-A15",
+    "NET-506-A60",
+    "NET-794-A06",
+    "NET-806-A02",
+    "NET-857-A04",
+    "NET-857-A05",
+    "NET-901-A04",
+    "NET-920-A02",
+    "NET-938-A10",
+    "NET-965",
+    "NET-980-A07",
+    "PFI-001-A02",
+    "SEC-082-A06",
+    "SEC-1085",
+    "SEC-1144-A03",
+    "SEC-1144-A28",
+    "SEC-1144-A42",
+    "SEC-1144-A56",
+    "SEC-1144-A70",
+    "SEC-1146-A02",
+    "SEC-1146-A07",
+    "SEC-1146-A54",
+    "SEC-1146-A59",
+    "SEC-1153-A12",
+    "SEC-2445-A01",
+    "SEC-2635-A03",
+    "SEC-2662-A07",
+    "SEC-2662-A13",
+    "SEC-2798",
+    "SEC-2818-A05",
+    "SEC-2841-A03",
+    "SEC-2845-A09",
+    "SEC-2899-A04",
+    "SEC-2899-A06",
+    "SEC-3195-A04",
+    "SEC-3383-A08",
+    "SEC-3406",
+    "SEC-3732-A08",
+    "SEC-3842-A02",
+    "SEC-3935-A02",
+    "SEC-4028-A03",
+    "SEC-4076-A02",
+    "SEC-4217",
+    "SEC-4292-A08",
+    "SEC-4509",
+    "SEC-4513-A04",
+    "SEC-4655-A03",
+    "SEC-4655-A04",
+    "SEC-5595-A13",
+    "SEC-5792-A03",
+    "SEC-5792-A04",
+    "SEC-6770",
+    "SEC-6784-A10",
+    "SEC-6830-A05",
+    "SEC-7963-A03",
+    "SEC-7963-A04",
+    "SEC-7965-A03",
+    "SEC-7994-A06",
+    "SEC-8121-A05",
+    "SEC-8138-A03",
+    "SEC-8295-A01",
+    "SEC-8334-A06",
+    "SEC-8825-A05",
+    "SEC-9212-A01",
+    "SEC-9212-A02"
+   ],
+   "member_count": 929,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M43",
+    "cluster_size": 95,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "evidence_merged_from": [
+    "auth_anomaly_detection",
+    "auth_failure_logging"
+   ]
+  },
+  {
+   "id": "server_side_validation",
+   "name": "Serverseitige Validierung von Authentifizierung",
+   "description": "Authentifizierungsentscheidungen sind serverseitig zu validieren; clientseitige/nicht vertrauenswuerdige Validierung ist unzulaessig.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V1.2",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M15",
+    "M32",
+    "M123"
+   ],
+   "member_controls": [
+    "ACC-645-A13",
+    "ACC-645-A16",
+    "ACC-690-A02",
+    "AI-1351-A03",
+    "AUTH-036",
+    "AUTH-036-A10",
+    "AUTH-036-A13",
+    "AUTH-1099-A01",
+    "AUTH-1099-A06",
+    "AUTH-1286",
+    "AUTH-1296",
+    "AUTH-1296-A01",
+    "AUTH-1306-A06",
+    "AUTH-1529-A10",
+    "AUTH-1535",
+    "AUTH-1535-A06",
+    "AUTH-1627-A15",
+    "AUTH-1640-A02",
+    "AUTH-1659-A01",
+    "AUTH-1669",
+    "AUTH-1669-A02",
+    "AUTH-1694",
+    "AUTH-1694-A01",
+    "AUTH-1694-A02",
+    "AUTH-1701-A01",
+    "AUTH-1701-A08",
+    "AUTH-1748-A05",
+    "AUTH-1752-A04",
+    "AUTH-1758-A01",
+    "AUTH-1758-A05",
+    "AUTH-1819-A02",
+    "AUTH-1820",
+    "AUTH-1830-A01",
+    "AUTH-1836-A02",
+    "AUTH-1864-A09",
+    "AUTH-1877-A04",
+    "AUTH-1918-A07",
+    "AUTH-1931-A07",
+    "AUTH-2167-A01",
+    "AUTH-2333-A03",
+    "AUTH-2466-A11",
+    "AUTH-2486",
+    "AUTH-2650",
+    "AUTH-2650-A01",
+    "AUTH-2678-A11",
+    "AUTH-2805",
+    "AUTH-2805-A01",
+    "AUTH-2805-A02",
+    "AUTH-2805-A03",
+    "AUTH-2805-A04",
+    "AUTH-2805-A05",
+    "AUTH-2850-A02",
+    "AUTH-2883-A09",
+    "AUTH-2886-A04",
+    "AUTH-2886-A06",
+    "AUTH-2912-A14",
+    "AUTH-2937",
+    "AUTH-2940",
+    "AUTH-2952",
+    "AUTH-2974-A03",
+    "AUTH-2986-A02",
+    "AUTH-2986-A06",
+    "AUTH-3010",
+    "AUTH-3151-A04",
+    "AUTH-3258-A05",
+    "AUTH-3279",
+    "AUTH-3452-A04",
+    "AUTH-3552-A02",
+    "AUTH-3639",
+    "AUTH-3643",
+    "AUTH-3645-A07",
+    "AUTH-3672",
+    "AUTH-3751-A02",
+    "AUTH-3906-A14",
+    "AUTH-3929",
+    "AUTH-3984",
+    "AUTH-3984-A03",
+    "AUTH-674-A04",
+    "AUTH-675-A03",
+    "AUTH-732-A02",
+    "AUTH-732-A03",
+    "AUTH-734-A10",
+    "AUTH-748-A04",
+    "AUTH-748-A09",
+    "AUTH-771-A02",
+    "AUTH-794",
+    "AUTH-794-A02",
+    "AUTH-794-A08",
+    "AUTH-833-A04",
+    "AUTH-833-A09",
+    "AUTH-836-A13",
+    "AUTH-837-A14",
+    "AUTH-843-A05",
+    "AUTH-843-A14",
+    "AUTH-843-A23",
+    "AUTH-843-A33",
+    "AUTH-843-A43",
+    "AUTH-843-A50",
+    "AUTH-846-A05",
+    "AUTH-846-A06",
+    "AUTH-846-A14",
+    "AUTH-846-A15",
+    "AUTH-846-A24",
+    "AUTH-846-A25",
+    "AUTH-846-A34",
+    "AUTH-846-A35",
+    "AUTH-846-A43",
+    "AUTH-846-A44",
+    "AUTH-849-A04",
+    "AUTH-849-A08",
+    "AUTH-849-A09",
+    "AUTH-849-A13",
+    "AUTH-849-A20",
+    "AUTH-849-A24",
+    "AUTH-849-A25",
+    "AUTH-849-A29",
+    "AUTH-849-A30",
+    "AUTH-849-A37",
+    "AUTH-849-A41",
+    "AUTH-849-A42",
+    "AUTH-849-A56",
+    "AUTH-849-A57",
+    "AUTH-850-A09",
+    "AUTH-915-A20",
+    "AUTH-915-A26",
+    "AUTH-934",
+    "AUTH-934-A01",
+    "AUTH-934-A02",
+    "AUTH-934-A03",
+    "AUTH-934-A04",
+    "AUTH-934-A09",
+    "AUTH-934-A10",
+    "AUTH-934-A11",
+    "AUTH-934-A12",
+    "AUTH-934-A18",
+    "AUTH-934-A19",
+    "AUTH-934-A20",
+    "AUTH-934-A21",
+    "AUTH-934-A27",
+    "AUTH-934-A28",
+    "AUTH-934-A29",
+    "AUTH-934-A30",
+    "AUTH-934-A40",
+    "AUTH-934-A41",
+    "AUTH-934-A42",
+    "AUTH-934-A43",
+    "CRYP-1124",
+    "CRYP-1124-A01",
+    "CRYP-1124-A08",
+    "CRYP-1239-A01",
+    "CRYP-1460-A04",
+    "CRYP-1927",
+    "CRYP-2179",
+    "CRYP-2179-A10",
+    "CRYP-2254-A04",
+    "DATA-3649-A13",
+    "DATA-720-A02",
+    "IAM-001-A07",
+    "IAM-001-A11",
+    "INC-1154-A05",
+    "INC-971-A06",
+    "NET-887-A09",
+    "SEC-3195",
+    "SEC-400-A04",
+    "SEC-400-A05",
+    "SEC-400-A21",
+    "SEC-400-A22",
+    "SEC-7963-A07",
+    "SEC-8334-A13"
+   ],
+   "member_count": 169,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.78,
+    "source_meta_cluster": "M15",
+    "cluster_size": 83,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "session_binding_management",
+   "name": "Sitzungsbindung und Session-Management",
+   "description": "Nach erfolgreicher Authentifizierung sind Sessions sicher zu binden, neue Session-IDs zu generieren und sicher zu verwalten.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "session",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V3",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M25",
+    "M11",
+    "M57",
+    "M71",
+    "M87",
+    "M95",
+    "M103",
+    "M105"
+   ],
+   "member_controls": [
+    "ACC-567",
+    "ACC-567-A01",
+    "AUT-005",
+    "AUT-005-A05",
+    "AUTH-1058",
+    "AUTH-1058-A01",
+    "AUTH-116-A01",
+    "AUTH-116-A12",
+    "AUTH-1300-A03",
+    "AUTH-1634-A03",
+    "AUTH-1638-A01",
+    "AUTH-1645-A03",
+    "AUTH-1645-A05",
+    "AUTH-1669-A08",
+    "AUTH-1684-A04",
+    "AUTH-1688-A06",
+    "AUTH-1701",
+    "AUTH-1701-A02",
+    "AUTH-1701-A05",
+    "AUTH-1711",
+    "AUTH-1711-A01",
+    "AUTH-1711-A03",
+    "AUTH-1711-A05",
+    "AUTH-1716-A01",
+    "AUTH-1720",
+    "AUTH-1720-A02",
+    "AUTH-1721-A02",
+    "AUTH-1745-A01",
+    "AUTH-1748",
+    "AUTH-1748-A01",
+    "AUTH-1750-A01",
+    "AUTH-1752",
+    "AUTH-1806-A04",
+    "AUTH-1813-A08",
+    "AUTH-1822-A02",
+    "AUTH-1830-A04",
+    "AUTH-1843-A01",
+    "AUTH-1914",
+    "AUTH-1914-A02",
+    "AUTH-1914-A04",
+    "AUTH-1917-A01",
+    "AUTH-1919",
+    "AUTH-1931",
+    "AUTH-1931-A01",
+    "AUTH-1931-A02",
+    "AUTH-1932-A08",
+    "AUTH-1940-A05",
+    "AUTH-1948-A01",
+    "AUTH-1949-A06",
+    "AUTH-2315",
+    "AUTH-2315-A03",
+    "AUTH-2316-A01",
+    "AUTH-2316-A02",
+    "AUTH-2317-A03",
+    "AUTH-2317-A06",
+    "AUTH-2322-A01",
+    "AUTH-2338-A01",
+    "AUTH-2338-A05",
+    "AUTH-2548",
+    "AUTH-2551",
+    "AUTH-2553-A04",
+    "AUTH-2883-A04",
+    "AUTH-2922-A06",
+    "AUTH-2923-A01",
+    "AUTH-2924",
+    "AUTH-2930-A07",
+    "AUTH-2933",
+    "AUTH-2953",
+    "AUTH-2964-A05",
+    "AUTH-2988",
+    "AUTH-2988-A01",
+    "AUTH-2989-A03",
+    "AUTH-2994",
+    "AUTH-2994-A04",
+    "AUTH-2996-A03",
+    "AUTH-3007-A08",
+    "AUTH-3013-A10",
+    "AUTH-3014",
+    "AUTH-3016-A08",
+    "AUTH-3020-A01",
+    "AUTH-3023-A05",
+    "AUTH-3064",
+    "AUTH-3064-A01",
+    "AUTH-3074",
+    "AUTH-3074-A01",
+    "AUTH-3074-A05",
+    "AUTH-3258-A09",
+    "AUTH-3279-A04",
+    "AUTH-3284-A01",
+    "AUTH-3284-A05",
+    "AUTH-3286-A02",
+    "AUTH-3286-A05",
+    "AUTH-3457",
+    "AUTH-3543-A01",
+    "AUTH-3545-A04",
+    "AUTH-3562-A01",
+    "AUTH-3599",
+    "AUTH-3645",
+    "AUTH-3646",
+    "AUTH-3751",
+    "AUTH-4127",
+    "AUTH-606",
+    "AUTH-700",
+    "AUTH-738",
+    "AUTH-738-A04",
+    "AUTH-750",
+    "AUTH-799-A10",
+    "AUTH-799-A11",
+    "AUTH-815",
+    "AUTH-836-A03",
+    "AUTH-836-A10",
+    "AUTH-836-A14",
+    "AUTH-845-A04",
+    "AUTH-845-A05",
+    "AUTH-845-A17",
+    "AUTH-845-A36",
+    "AUTH-845-A37",
+    "AUTH-845-A48",
+    "AUTH-845-A49",
+    "AUTH-845-A52",
+    "AUTH-845-A53",
+    "AUTH-849-A02",
+    "AUTH-849-A11",
+    "AUTH-849-A18",
+    "AUTH-849-A35",
+    "AUTH-849-A50",
+    "AUTH-850-A05",
+    "AUTH-850-A15",
+    "AUTH-850-A34",
+    "AUTH-855-A02",
+    "AUTH-855-A17",
+    "AUTH-855-A32",
+    "AUTH-855-A48",
+    "AUTH-855-A62",
+    "AUTH-893-A10",
+    "AUTH-893-A22",
+    "AUTH-949-A03",
+    "AUTH-949-A30",
+    "AUTH-951",
+    "AUTH-973-A04",
+    "AUTH-974-A08",
+    "AVL-003-A06",
+    "COMP-1904",
+    "COMP-1960-A04",
+    "COMP-3313-A03",
+    "COMP-3421-A13",
+    "COMP-3431-A02",
+    "COMP-3981-A05",
+    "CRYP-1269",
+    "CRYP-1269-A01",
+    "CRYP-1269-A02",
+    "CRYP-1288-A04",
+    "CRYP-1394-A03",
+    "CRYP-1433-A06",
+    "CRYP-1433-A08",
+    "CRYP-1533",
+    "CRYP-1533-A02",
+    "CRYP-1533-A03",
+    "CRYP-447-A01",
+    "CRYP-447-A17",
+    "CRYP-723-A09",
+    "CRYP-948-A05",
+    "DATA-1007-A02",
+    "DATA-1007-A09",
+    "DATA-1007-A11",
+    "DATA-1191-A02",
+    "DATA-1801",
+    "DATA-259",
+    "DATA-3948",
+    "INC-246",
+    "INC-246-A01",
+    "INC-246-A02",
+    "INC-246-A04",
+    "NET-1345-A02",
+    "NET-405-A02",
+    "NET-405-A07",
+    "SEC-1223-A05",
+    "SEC-2809-A08",
+    "SEC-3683-A05",
+    "SEC-4021-A03",
+    "SEC-5610",
+    "SEC-6775",
+    "SEC-6778",
+    "SEC-6846-A03",
+    "SEC-8815"
+   ],
+   "member_count": 185,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.83,
+    "source_meta_cluster": "M25",
+    "cluster_size": 16,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "reauth_after_inactivity",
+   "name": "Neuauthentifizierung nach Inaktivitaet/Timeout",
+   "description": "Nach Inaktivitaetsdauer, Grace-Period oder Netzwerkortwechsel ist eine Neuauthentifizierung zu erzwingen.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "session",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B 4.3",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M33",
+    "M13",
+    "M158",
+    "M112"
+   ],
+   "member_controls": [
+    "ACC-584-A05",
+    "AUTH-047-A02",
+    "AUTH-1093-A03",
+    "AUTH-1102-A02",
+    "AUTH-1102-A04",
+    "AUTH-1135-A03",
+    "AUTH-1135-A04",
+    "AUTH-1168-A02",
+    "AUTH-1168-A03",
+    "AUTH-1280",
+    "AUTH-1295-A06",
+    "AUTH-1299-A05",
+    "AUTH-1316",
+    "AUTH-1426-A03",
+    "AUTH-1522-A04",
+    "AUTH-1525",
+    "AUTH-1529-A03",
+    "AUTH-1529-A07",
+    "AUTH-1640-A01",
+    "AUTH-1649-A04",
+    "AUTH-1677-A03",
+    "AUTH-1682-A02",
+    "AUTH-1806",
+    "AUTH-1810-A04",
+    "AUTH-1896-A04",
+    "AUTH-2338-A04",
+    "AUTH-2368-A05",
+    "AUTH-2411",
+    "AUTH-2413",
+    "AUTH-2413-A01",
+    "AUTH-2419-A04",
+    "AUTH-2419-A05",
+    "AUTH-2421-A03",
+    "AUTH-2444-A08",
+    "AUTH-2660-A02",
+    "AUTH-2866-A02",
+    "AUTH-2875-A01",
+    "AUTH-2877",
+    "AUTH-2877-A02",
+    "AUTH-2943-A01",
+    "AUTH-2946-A02",
+    "AUTH-2963-A05",
+    "AUTH-2987",
+    "AUTH-2987-A08",
+    "AUTH-2993-A04",
+    "AUTH-2996-A07",
+    "AUTH-3002-A06",
+    "AUTH-3007-A03",
+    "AUTH-3011",
+    "AUTH-3011-A06",
+    "AUTH-3016",
+    "AUTH-3018",
+    "AUTH-3064-A03",
+    "AUTH-3155-A05",
+    "AUTH-3334",
+    "AUTH-3334-A05",
+    "AUTH-3454-A01",
+    "AUTH-3454-A05",
+    "AUTH-3454-A06",
+    "AUTH-3454-A07",
+    "AUTH-3545",
+    "AUTH-3955-A02",
+    "AUTH-3955-A03",
+    "AUTH-3984-A06",
+    "AUTH-3988-A04",
+    "AUTH-3999-A04",
+    "AUTH-4028-A05",
+    "AUTH-4130-A02",
+    "AUTH-532-A02",
+    "AUTH-559-A17",
+    "AUTH-586-A03",
+    "AUTH-586-A04",
+    "AUTH-616-A04",
+    "AUTH-616-A14",
+    "AUTH-680-A04",
+    "AUTH-754-A05",
+    "AUTH-754-A07",
+    "AUTH-754-A12",
+    "AUTH-766-A06",
+    "AUTH-769-A07",
+    "AUTH-782-A06",
+    "AUTH-795-A02",
+    "AUTH-831-A03",
+    "AUTH-831-A05",
+    "AUTH-845-A06",
+    "AUTH-845-A18",
+    "AUTH-845-A38",
+    "AUTH-845-A50",
+    "AUTH-845-A54",
+    "AUTH-850-A19",
+    "AUTH-850-A29",
+    "AUTH-850-A38",
+    "AUTH-850-A46",
+    "AUTH-851-A16",
+    "AUTH-867-A20",
+    "AUTH-989-A22",
+    "AUTH-995-A05",
+    "AUTH-995-A85",
+    "AUTH-996-A04",
+    "AUTH-996-A17",
+    "BND-002-A02",
+    "BND-002-A04",
+    "BND-002-A06",
+    "BND-002-A08",
+    "COMP-1948",
+    "COMP-1948-A02",
+    "CRYP-1141-A09",
+    "CRYP-191",
+    "CRYP-2287",
+    "CRYP-2301-A06",
+    "CRYP-447-A20",
+    "CRYP-626-A05",
+    "CRYP-671-A01",
+    "CRYP-671-A02",
+    "CRYP-876-A06",
+    "DATA-2662-A05",
+    "DATA-598-A05",
+    "DATA-598-A06",
+    "NET-1619-A02",
+    "NET-1633-A02",
+    "NET-806-A02",
+    "NET-901-A04",
+    "NET-920-A02",
+    "NET-965",
+    "SEC-2445-A01",
+    "SEC-2841-A03",
+    "SEC-3406",
+    "SEC-3842-A02",
+    "SEC-4028-A03",
+    "SEC-4076-A02",
+    "SEC-4509",
+    "SEC-7963-A03",
+    "SEC-7963-A04",
+    "SEC-8334-A06",
+    "SEC-8825-A05"
+   ],
+   "member_count": 135,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M33",
+    "cluster_size": 66,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "token_validation_lifecycle",
+   "name": "Authentifizierungs-Token Validierung und Gueltigkeit",
+   "description": "Authentifizierungstoken muessen validiert werden, eine begrenzte Gueltigkeitsdauer haben und abgelaufene/nicht konforme Token abgelehnt werden.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "token",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V3.5",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M124",
+    "M127",
+    "M67",
+    "M90",
+    "M64"
+   ],
+   "member_controls": [
+    "AUTH-1663-A07",
+    "AUTH-1672-A04",
+    "AUTH-1678-A05",
+    "AUTH-1679-A05",
+    "AUTH-1682-A04",
+    "AUTH-1691-A04",
+    "AUTH-1700-A05",
+    "AUTH-1713-A01",
+    "AUTH-1790-A05",
+    "AUTH-1814",
+    "AUTH-1814-A03",
+    "AUTH-1820-A01",
+    "AUTH-1836-A01",
+    "AUTH-1840",
+    "AUTH-1840-A01",
+    "AUTH-1840-A02",
+    "AUTH-1912-A03",
+    "AUTH-1940-A01",
+    "AUTH-2466-A07",
+    "AUTH-2850-A01",
+    "AUTH-3450-A01",
+    "AUTH-3450-A06",
+    "AUTH-3968-A06",
+    "AUTH-3999",
+    "AUTH-742-A08",
+    "AUTH-762-A06",
+    "AUTH-783-A03",
+    "AUTH-783-A04",
+    "AUTH-783-A07",
+    "AUTH-783-A08",
+    "AUTH-783-A12",
+    "AUTH-804",
+    "AUTH-816",
+    "AUTH-818-A19",
+    "AUTH-849-A14",
+    "AUTH-849-A15",
+    "AUTH-849-A21",
+    "AUTH-849-A22",
+    "AUTH-849-A38",
+    "AUTH-849-A39",
+    "AUTH-849-A53",
+    "AUTH-849-A54",
+    "AUTH-849-A68",
+    "AUTH-855-A04",
+    "AUTH-855-A19",
+    "AUTH-855-A34",
+    "AUTH-855-A50",
+    "AUTH-855-A64",
+    "AUTH-961-A15",
+    "BND-001-A02",
+    "BND-001-A07",
+    "CRYP-1288-A10",
+    "CRYP-1321-A03",
+    "CRYP-1433-A02",
+    "CRYP-1467-A03",
+    "CRYP-1467-A08",
+    "CRYP-1521-A03",
+    "CRYP-1525-A08",
+    "CRYP-2148-A01",
+    "CRYP-2150-A02",
+    "NET-467-A03",
+    "NET-467-A11",
+    "NET-909-A03",
+    "SEC-1215-A01",
+    "SEC-2899-A07",
+    "SEC-305-A02",
+    "SEC-305-A03",
+    "SEC-305-A09",
+    "SEC-305-A10",
+    "SEC-8241-A01",
+    "SEC-8244-A10"
+   ],
+   "member_count": 71,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M124",
+    "cluster_size": 19,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "mutual_authentication",
+   "name": "Gegenseitige (mutual) Authentifizierung",
+   "description": "Bei Kommunikationsverbindungen ist gegenseitige Authentifizierung von Client und Server/Service umzusetzen, inkl. MITM-Schutz.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "token",
+   "applicability": "conditional:network_communication",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "IA-03",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M24",
+    "M96",
+    "M84",
+    "M135",
+    "M153"
+   ],
+   "member_controls": [
+    "AUT-003",
+    "AUT-004",
+    "AUT-006",
+    "AUTH-047-A04",
+    "AUTH-1049-A17",
+    "AUTH-1049-A41",
+    "AUTH-1083",
+    "AUTH-1083-A02",
+    "AUTH-1306-A02",
+    "AUTH-1306-A03",
+    "AUTH-1439-A09",
+    "AUTH-1445",
+    "AUTH-1445-A01",
+    "AUTH-1448",
+    "AUTH-1463",
+    "AUTH-1582",
+    "AUTH-1582-A02",
+    "AUTH-1696-A02",
+    "AUTH-1861-A08",
+    "AUTH-1865",
+    "AUTH-1865-A01",
+    "AUTH-1865-A08",
+    "AUTH-1940-A08",
+    "AUTH-1959-A07",
+    "AUTH-1959-A10",
+    "AUTH-2337-A07",
+    "AUTH-2553",
+    "AUTH-2553-A02",
+    "AUTH-2635-A01",
+    "AUTH-2635-A02",
+    "AUTH-2635-A03",
+    "AUTH-3542-A09",
+    "AUTH-3647-A01",
+    "AUTH-3647-A02",
+    "AUTH-3648-A10",
+    "AUTH-3672-A01",
+    "AUTH-3963-A03",
+    "AUTH-4125-A02",
+    "AUTH-4127-A04",
+    "AUTH-505",
+    "AUTH-505-A02",
+    "AUTH-532-A03",
+    "AUTH-550",
+    "AUTH-550-A01",
+    "AUTH-550-A06",
+    "AUTH-586",
+    "AUTH-625",
+    "AUTH-625-A01",
+    "AUTH-806",
+    "AUTH-806-A01",
+    "AUTH-850-A04",
+    "AUTH-850-A24",
+    "AUTH-850-A33",
+    "AUTH-850-A41",
+    "COM-004",
+    "COMP-074-A02",
+    "COMP-074-A09",
+    "COMP-1055",
+    "COMP-1960-A05",
+    "COMP-2129-A03",
+    "COMP-2129-A09",
+    "CRYP-1024-A03",
+    "CRYP-1028-A03",
+    "CRYP-1124-A04",
+    "CRYP-1227",
+    "CRYP-1227-A02",
+    "CRYP-1227-A08",
+    "CRYP-1250-A10",
+    "CRYP-1305-A06",
+    "CRYP-1323-A02",
+    "CRYP-1421-A07",
+    "CRYP-1431-A08",
+    "CRYP-1433-A01",
+    "CRYP-1433-A05",
+    "CRYP-1458-A06",
+    "CRYP-1466",
+    "CRYP-1466-A01",
+    "CRYP-1466-A02",
+    "CRYP-1469-A01",
+    "CRYP-1519-A06",
+    "CRYP-1530-A02",
+    "CRYP-1541-A06",
+    "CRYP-1722-A02",
+    "CRYP-1722-A07",
+    "CRYP-1791-A02",
+    "CRYP-193-A03",
+    "CRYP-1993-A03",
+    "CRYP-2188-A08",
+    "CRYP-721-A02",
+    "CRYP-780-A02",
+    "CRYP-886-A01",
+    "GOV-1403-A12",
+    "GOV-500-A02",
+    "GOV-500-A07",
+    "GOV-500-A12",
+    "GOV-500-A17",
+    "HLT-122-A04",
+    "IDA-002",
+    "INC-978",
+    "INC-978-A07",
+    "NET-1233-A07",
+    "NET-1471-A05",
+    "NET-656-A06",
+    "NET-656-A14",
+    "NET-656-A22",
+    "NET-656-A30",
+    "NET-656-A38",
+    "NET-656-A46",
+    "NET-857-A03",
+    "NET-857-A11",
+    "NET-879-A03",
+    "NET-931-A02",
+    "NET-938-A06",
+    "SEC-1223",
+    "SEC-2788-A02",
+    "SEC-2788-A08",
+    "SEC-2809-A01",
+    "SEC-2818-A01",
+    "SEC-3383-A02",
+    "SEC-3383-A07",
+    "SEC-4292",
+    "SEC-4292-A01",
+    "SEC-4292-A02",
+    "SEC-4292-A09",
+    "SEC-4292-A10",
+    "SEC-4733-A02",
+    "SEC-5811-A01",
+    "SEC-5811-A02",
+    "SEC-6382-A03",
+    "SEC-6925-A09"
+   ],
+   "member_count": 130,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.83,
+    "source_meta_cluster": "M24",
+    "cluster_size": 101,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "revocation_check",
+   "name": "Widerrufs-/Sperrlistenpruefung bei Authentifizierung",
+   "description": "Vor erfolgreicher Authentifizierung sind Zertifikats-Widerruf bzw. Sperrlisten zu pruefen.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "conditional:certificate_based",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "IA-05(2)",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M24",
+    "M50",
+    "M52"
+   ],
+   "member_controls": [
+    "AUT-003",
+    "AUT-004",
+    "AUT-006",
+    "AUTH-047-A04",
+    "AUTH-1049-A17",
+    "AUTH-1049-A41",
+    "AUTH-1083",
+    "AUTH-1083-A02",
+    "AUTH-1306-A02",
+    "AUTH-1306-A03",
+    "AUTH-1439-A09",
+    "AUTH-1445",
+    "AUTH-1445-A01",
+    "AUTH-1448",
+    "AUTH-1463",
+    "AUTH-1582",
+    "AUTH-1582-A02",
+    "AUTH-1583-A05",
+    "AUTH-1628",
+    "AUTH-1628-A02",
+    "AUTH-1696-A02",
+    "AUTH-1861-A08",
+    "AUTH-1940-A08",
+    "AUTH-1959-A07",
+    "AUTH-1959-A10",
+    "AUTH-2337-A07",
+    "AUTH-2635-A01",
+    "AUTH-2635-A02",
+    "AUTH-2635-A03",
+    "AUTH-3542-A09",
+    "AUTH-3647-A01",
+    "AUTH-3647-A02",
+    "AUTH-3648-A10",
+    "AUTH-3672-A01",
+    "AUTH-4125-A02",
+    "AUTH-4127-A04",
+    "AUTH-532-A03",
+    "AUTH-806",
+    "AUTH-806-A01",
+    "AUTH-850-A04",
+    "AUTH-850-A24",
+    "AUTH-850-A33",
+    "AUTH-850-A41",
+    "COM-004",
+    "COMP-074-A02",
+    "COMP-074-A09",
+    "COMP-1960-A05",
+    "COMP-2129-A03",
+    "COMP-2129-A09",
+    "CRYP-1028-A03",
+    "CRYP-1227",
+    "CRYP-1227-A02",
+    "CRYP-1227-A08",
+    "CRYP-1250-A10",
+    "CRYP-1305-A06",
+    "CRYP-1323-A02",
+    "CRYP-1431-A08",
+    "CRYP-1433-A01",
+    "CRYP-1433-A05",
+    "CRYP-1466",
+    "CRYP-1466-A01",
+    "CRYP-1466-A02",
+    "CRYP-1469-A01",
+    "CRYP-1519-A06",
+    "CRYP-1530-A02",
+    "CRYP-1722-A02",
+    "CRYP-1722-A07",
+    "CRYP-1791-A02",
+    "CRYP-721-A02",
+    "CRYP-886-A01",
+    "GOV-1403-A12",
+    "GOV-500-A02",
+    "GOV-500-A07",
+    "GOV-500-A12",
+    "GOV-500-A17",
+    "HLT-122-A04",
+    "IDA-002",
+    "NET-1471-A05",
+    "NET-656-A06",
+    "NET-656-A14",
+    "NET-656-A22",
+    "NET-656-A30",
+    "NET-656-A38",
+    "NET-656-A46",
+    "NET-857-A03",
+    "NET-857-A11",
+    "NET-931-A02",
+    "NET-938-A06",
+    "SEC-1223",
+    "SEC-2788-A02",
+    "SEC-2788-A08",
+    "SEC-2809-A01",
+    "SEC-2818-A01",
+    "SEC-3383-A02",
+    "SEC-3383-A07",
+    "SEC-4292",
+    "SEC-4292-A01",
+    "SEC-4292-A02",
+    "SEC-4292-A10",
+    "SEC-4733-A02",
+    "SEC-5811-A01",
+    "SEC-5811-A02",
+    "SEC-6382-A03",
+    "SEC-6925-A09"
+   ],
+   "member_count": 104,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.78,
+    "source_meta_cluster": "M24",
+    "cluster_size": 101,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "encrypted_auth_channel",
+   "name": "Verschluesselte Authentifizierungskanaele",
+   "description": "Authentifizierung muss ueber verschluesselte Kanaele erfolgen; unverschluesselte Authentifizierungskanaele sind zu deaktivieren.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(e)",
+     "citation": "protect the confidentiality of... transmitted... data... incl. encryption in transit"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "BSI",
+     "anchor": "TR-02102-2",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M37",
+    "M117",
+    "M167"
+   ],
+   "member_controls": [
+    "AUTH-1300-A02",
+    "AUTH-1437-A03",
+    "AUTH-1441-A07",
+    "AUTH-1441-A08",
+    "AUTH-1468-A02",
+    "AUTH-148-A11",
+    "AUTH-1747",
+    "AUTH-1817",
+    "AUTH-2419-A06",
+    "AUTH-2425",
+    "AUTH-2466-A08",
+    "AUTH-2553-A12",
+    "AUTH-2933-A04",
+    "AUTH-2935",
+    "AUTH-2935-A08",
+    "AUTH-2937-A05",
+    "AUTH-2996-A05",
+    "AUTH-3255",
+    "AUTH-3430-A02",
+    "AUTH-3652",
+    "AUTH-3652-A01",
+    "AUTH-3652-A02",
+    "AUTH-3652-A03",
+    "AUTH-3652-A04",
+    "AUTH-3652-A09",
+    "AUTH-3908-A04",
+    "AUTH-4027",
+    "AUTH-577-A06",
+    "AUTH-592-A04",
+    "AUTH-710-A02",
+    "AUTH-748",
+    "AUTH-748-A02",
+    "AUTH-784-A04",
+    "AUTH-784-A05",
+    "AUTH-784-A06",
+    "AUTH-789",
+    "AUTH-789-A01",
+    "AUTH-925-A02",
+    "AUTH-925-A09",
+    "AUTH-925-A17",
+    "COMP-1735-A09",
+    "COMP-1791-A03",
+    "CRYP-1255",
+    "CRYP-1271",
+    "CRYP-1431-A01",
+    "CRYP-1525",
+    "CRYP-1525-A01",
+    "CRYP-1702-A03",
+    "CRYP-1749",
+    "CRYP-191-A02",
+    "CRYP-224-A08",
+    "CRYP-873",
+    "NET-1291-A16",
+    "NET-1471-A01",
+    "SEC-2853-A04",
+    "SEC-5595",
+    "SEC-6107-A02"
+   ],
+   "member_count": 57,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M37",
+    "cluster_size": 50,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "tls_certificate_auth",
+   "name": "TLS-/Zertifikat-basierte Authentifizierung",
+   "description": "Zertifikatsbasierte Authentifizierung von Geraeten/Diensten ueber TLS mit Vertrauensanker-Validierung und bidirektionaler Authentifizierung.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "token",
+   "applicability": "conditional:certificate_based",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "IA-05(2)",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M45",
+    "M7",
+    "M20",
+    "M47",
+    "M135",
+    "M141"
+   ],
+   "member_controls": [
+    "ACC-495",
+    "ACC-495-A01",
+    "ACC-495-A02",
+    "AI-994-A04",
+    "AI-994-A05",
+    "AUTH-047-A07",
+    "AUTH-1300-A01",
+    "AUTH-1513-A04",
+    "AUTH-1514",
+    "AUTH-1517",
+    "AUTH-1517-A01",
+    "AUTH-1517-A02",
+    "AUTH-1517-A05",
+    "AUTH-1518",
+    "AUTH-1518-A01",
+    "AUTH-1518-A02",
+    "AUTH-1518-A05",
+    "AUTH-1522",
+    "AUTH-1526-A03",
+    "AUTH-1526-A04",
+    "AUTH-1527-A03",
+    "AUTH-1527-A08",
+    "AUTH-1530-A01",
+    "AUTH-1541",
+    "AUTH-1541-A01",
+    "AUTH-1580-A05",
+    "AUTH-1580-A11",
+    "AUTH-1583",
+    "AUTH-1583-A02",
+    "AUTH-1682-A07",
+    "AUTH-1698-A03",
+    "AUTH-1709-A11",
+    "AUTH-1759",
+    "AUTH-1778",
+    "AUTH-1784",
+    "AUTH-1808-A05",
+    "AUTH-1808-A06",
+    "AUTH-1820-A02",
+    "AUTH-1821-A01",
+    "AUTH-1836-A03",
+    "AUTH-1842",
+    "AUTH-1842-A01",
+    "AUTH-1842-A02",
+    "AUTH-1842-A06",
+    "AUTH-1860-A03",
+    "AUTH-2337-A03",
+    "AUTH-2478-A04",
+    "AUTH-2550-A11",
+    "AUTH-2986",
+    "AUTH-3550-A04",
+    "AUTH-3670-A03",
+    "AUTH-4098-A02",
+    "AUTH-4098-A03",
+    "AUTH-509-A04",
+    "AUTH-694-A04",
+    "AUTH-833",
+    "AUTH-833-A06",
+    "AUTH-833-A10",
+    "AUTH-911-A12",
+    "AUTH-952",
+    "AUTH-952-A01",
+    "COMP-1729-A03",
+    "COMP-1729-A04",
+    "COMP-2057-A04",
+    "COMP-2057-A09",
+    "COMP-2099-A04",
+    "CRYP-1024-A03",
+    "CRYP-1029-A03",
+    "CRYP-1036-A03",
+    "CRYP-1141-A03",
+    "CRYP-1239-A02",
+    "CRYP-1250-A03",
+    "CRYP-1292",
+    "CRYP-1292-A03",
+    "CRYP-1292-A08",
+    "CRYP-1458-A01",
+    "CRYP-1521-A04",
+    "CRYP-1533-A01",
+    "CRYP-1541-A06",
+    "CRYP-1688-A04",
+    "CRYP-1724-A03",
+    "CRYP-2019-A07",
+    "CRYP-2188-A08",
+    "CRYP-616-A02",
+    "CRYP-738-A04",
+    "CRYP-796-A04",
+    "CRYP-802-A01",
+    "CRYP-803-A02",
+    "CRYP-849",
+    "CRYP-860",
+    "CRYP-879-A02",
+    "CRYP-879-A08",
+    "CRYP-880-A08",
+    "CRYP-886",
+    "CRYP-894-A03",
+    "CRYP-947-A05",
+    "INC-980-A05",
+    "LOG-1704-A02",
+    "LOG-1704-A08",
+    "NET-1293-A09",
+    "NET-928-A06",
+    "NET-965-A07",
+    "SEC-2721-A02",
+    "SEC-2871-A05",
+    "SEC-3156-A02",
+    "SEC-3182",
+    "SEC-3199",
+    "SEC-3209",
+    "SEC-3220",
+    "SEC-3853-A03",
+    "SEC-3922-A01",
+    "SEC-4028-A08",
+    "SEC-4248-A02",
+    "SEC-4248-A03",
+    "SEC-4513-A03",
+    "SEC-5585-A06",
+    "SEC-5873-A03",
+    "SEC-8162-A01",
+    "SEC-8162-A04",
+    "SEC-8226-A04"
+   ],
+   "member_count": 120,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M45",
+    "cluster_size": 53,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "service_to_service_auth",
+   "name": "Service-zu-Service- und API-Authentifizierung",
+   "description": "Alle API-Zugriffe und Service-zu-Service-Kommunikationen muessen authentisiert werden (mTLS, API-Keys, Tokens).",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "token",
+   "applicability": "conditional:api_or_service",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "OWASP",
+     "anchor": "API Security Top 10",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-03",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M21",
+    "M24",
+    "M39",
+    "M125",
+    "M30"
+   ],
+   "member_controls": [
+    "ACC-513",
+    "ACC-630-A05",
+    "ACC-637-A01",
+    "ACC-653-A01",
+    "ACC-657-A02",
+    "AI-814",
+    "AI-814-A02",
+    "AI-814-A06",
+    "AI-814-A07",
+    "AI-814-A11",
+    "AI-814-A12",
+    "AI-814-A16",
+    "AI-814-A17",
+    "AI-814-A21",
+    "AI-814-A22",
+    "AI-814-A26",
+    "AI-814-A27",
+    "API-001",
+    "ARC-007-A06",
+    "AUT-003",
+    "AUT-004",
+    "AUT-006",
+    "AUTH-047-A04",
+    "AUTH-1049-A17",
+    "AUTH-1049-A35",
+    "AUTH-1049-A41",
+    "AUTH-1049-A50",
+    "AUTH-1083",
+    "AUTH-1083-A02",
+    "AUTH-1092",
+    "AUTH-1099-A04",
+    "AUTH-1110",
+    "AUTH-1303-A06",
+    "AUTH-1306-A02",
+    "AUTH-1306-A03",
+    "AUTH-1439-A09",
+    "AUTH-1445",
+    "AUTH-1445-A01",
+    "AUTH-1446",
+    "AUTH-1446-A02",
+    "AUTH-1448",
+    "AUTH-1463",
+    "AUTH-1463-A07",
+    "AUTH-1468",
+    "AUTH-1468-A03",
+    "AUTH-1468-A04",
+    "AUTH-1468-A07",
+    "AUTH-1472-A01",
+    "AUTH-1525-A03",
+    "AUTH-1539-A03",
+    "AUTH-1582",
+    "AUTH-1582-A02",
+    "AUTH-1583-A06",
+    "AUTH-1635-A12",
+    "AUTH-1637",
+    "AUTH-1637-A01",
+    "AUTH-1658-A05",
+    "AUTH-1696-A02",
+    "AUTH-1696-A03",
+    "AUTH-1700-A04",
+    "AUTH-1713",
+    "AUTH-1716",
+    "AUTH-1725",
+    "AUTH-1753-A04",
+    "AUTH-1809-A01",
+    "AUTH-1809-A03",
+    "AUTH-1809-A04",
+    "AUTH-1826-A10",
+    "AUTH-1861-A08",
+    "AUTH-1877",
+    "AUTH-1877-A01",
+    "AUTH-1877-A02",
+    "AUTH-1909",
+    "AUTH-1909-A01",
+    "AUTH-1909-A05",
+    "AUTH-1938",
+    "AUTH-1940-A08",
+    "AUTH-1943",
+    "AUTH-1943-A02",
+    "AUTH-1946-A03",
+    "AUTH-1959-A07",
+    "AUTH-1959-A10",
+    "AUTH-2289",
+    "AUTH-2320",
+    "AUTH-2337-A07",
+    "AUTH-2417",
+    "AUTH-2424-A01",
+    "AUTH-2464",
+    "AUTH-2553",
+    "AUTH-2553-A02",
+    "AUTH-2630",
+    "AUTH-2630-A02",
+    "AUTH-2635-A01",
+    "AUTH-2635-A02",
+    "AUTH-2635-A03",
+    "AUTH-2817-A03",
+    "AUTH-2817-A04",
+    "AUTH-2817-A05",
+    "AUTH-2935-A02",
+    "AUTH-3038",
+    "AUTH-3069",
+    "AUTH-3077",
+    "AUTH-3078",
+    "AUTH-3108-A05",
+    "AUTH-3112-A14",
+    "AUTH-3151-A08",
+    "AUTH-3161",
+    "AUTH-3258",
+    "AUTH-3258-A01",
+    "AUTH-3258-A04",
+    "AUTH-3258-A07",
+    "AUTH-3258-A10",
+    "AUTH-3450",
+    "AUTH-3458-A01",
+    "AUTH-3542-A09",
+    "AUTH-3562",
+    "AUTH-3594-A05",
+    "AUTH-3645-A05",
+    "AUTH-3645-A06",
+    "AUTH-3647-A01",
+    "AUTH-3647-A02",
+    "AUTH-3648-A06",
+    "AUTH-3648-A10",
+    "AUTH-3672-A01",
+    "AUTH-384",
+    "AUTH-3906",
+    "AUTH-3963-A03",
+    "AUTH-4006-A14",
+    "AUTH-4027-A03",
+    "AUTH-4125-A02",
+    "AUTH-4127-A04",
+    "AUTH-4130",
+    "AUTH-4130-A01",
+    "AUTH-4133-A01",
+    "AUTH-4135-A01",
+    "AUTH-505",
+    "AUTH-505-A02",
+    "AUTH-532-A03",
+    "AUTH-550",
+    "AUTH-550-A01",
+    "AUTH-550-A06",
+    "AUTH-586",
+    "AUTH-670-A06",
+    "AUTH-756-A03",
+    "AUTH-756-A04",
+    "AUTH-762",
+    "AUTH-762-A01",
+    "AUTH-803-A03",
+    "AUTH-806",
+    "AUTH-806-A01",
+    "AUTH-825-A01",
+    "AUTH-827-A04",
+    "AUTH-827-A05",
+    "AUTH-827-A06",
+    "AUTH-827-A09",
+    "AUTH-827-A13",
+    "AUTH-827-A14",
+    "AUTH-837-A06",
+    "AUTH-837-A13",
+    "AUTH-838",
+    "AUTH-838-A04",
+    "AUTH-838-A06",
+    "AUTH-838-A08",
+    "AUTH-838-A24",
+    "AUTH-838-A34",
+    "AUTH-846",
+    "AUTH-846-A01",
+    "AUTH-846-A02",
+    "AUTH-846-A07",
+    "AUTH-846-A10",
+    "AUTH-846-A11",
+    "AUTH-846-A16",
+    "AUTH-846-A17",
+    "AUTH-846-A20",
+    "AUTH-846-A21",
+    "AUTH-846-A26",
+    "AUTH-846-A27",
+    "AUTH-846-A30",
+    "AUTH-846-A31",
+    "AUTH-846-A36",
+    "AUTH-846-A39",
+    "AUTH-846-A40",
+    "AUTH-846-A45",
+    "AUTH-846-A46",
+    "AUTH-849",
+    "AUTH-849-A10",
+    "AUTH-849-A17",
+    "AUTH-849-A28",
+    "AUTH-849-A33",
+    "AUTH-849-A34",
+    "AUTH-849-A45",
+    "AUTH-849-A48",
+    "AUTH-849-A49",
+    "AUTH-849-A60",
+    "AUTH-850-A04",
+    "AUTH-850-A24",
+    "AUTH-850-A33",
+    "AUTH-850-A41",
+    "AUTH-909",
+    "AUTH-914",
+    "AUTH-915",
+    "AUTH-915-A07",
+    "AUTH-915-A13",
+    "AUTH-915-A14",
+    "AUTH-919-A01",
+    "AUTH-919-A07",
+    "AUTH-949-A18",
+    "COM-004",
+    "COMP-001-A41",
+    "COMP-001-A83",
+    "COMP-074-A02",
+    "COMP-074-A09",
+    "COMP-1055",
+    "COMP-1079-A02",
+    "COMP-1079-A10",
+    "COMP-1812-A02",
+    "COMP-1817",
+    "COMP-1904-A01",
+    "COMP-1960-A05",
+    "COMP-2012-A02",
+    "COMP-2129-A03",
+    "COMP-2129-A09",
+    "COMP-2182-A02",
+    "COMP-3983-A09",
+    "COMP-3983-A10",
+    "COMP-3983-A14",
+    "CRYP-1017-A01",
+    "CRYP-1028-A03",
+    "CRYP-1103-A11",
+    "CRYP-1227",
+    "CRYP-1227-A02",
+    "CRYP-1227-A08",
+    "CRYP-1250-A10",
+    "CRYP-1255-A01",
+    "CRYP-1305-A03",
+    "CRYP-1305-A06",
+    "CRYP-1323-A02",
+    "CRYP-1421-A07",
+    "CRYP-1431-A08",
+    "CRYP-1433-A01",
+    "CRYP-1433-A05",
+    "CRYP-1466",
+    "CRYP-1466-A01",
+    "CRYP-1466-A02",
+    "CRYP-1469-A01",
+    "CRYP-1519-A06",
+    "CRYP-1530-A02",
+    "CRYP-1722-A02",
+    "CRYP-1722-A07",
+    "CRYP-1791-A02",
+    "CRYP-1884-A04",
+    "CRYP-193-A03",
+    "CRYP-1993-A03",
+    "CRYP-2094-A03",
+    "CRYP-721-A02",
+    "CRYP-868-A02",
+    "CRYP-886-A01",
+    "DATA-014-A01",
+    "DATA-2668-A01",
+    "DATA-4666-A04",
+    "FIN-852",
+    "FIN-891-A08",
+    "GOV-1403-A12",
+    "GOV-1605-A01",
+    "GOV-1648-A01",
+    "GOV-1648-A02",
+    "GOV-3072-A05",
+    "GOV-3871",
+    "GOV-3909-A01",
+    "GOV-3909-A02",
+    "GOV-500-A02",
+    "GOV-500-A07",
+    "GOV-500-A12",
+    "GOV-500-A17",
+    "HLT-122-A04",
+    "IDA-002",
+    "IDA-005",
+    "LAB-246-A08",
+    "LOG-1859",
+    "LOG-712-A04",
+    "NET-1233-A07",
+    "NET-1293-A04",
+    "NET-1466-A09",
+    "NET-1471",
+    "NET-1471-A05",
+    "NET-1633-A01",
+    "NET-1669-A02",
+    "NET-1683-A06",
+    "NET-351-A09",
+    "NET-380",
+    "NET-656-A06",
+    "NET-656-A14",
+    "NET-656-A22",
+    "NET-656-A30",
+    "NET-656-A38",
+    "NET-656-A46",
+    "NET-825-A03",
+    "NET-857-A02",
+    "NET-857-A03",
+    "NET-857-A11",
+    "NET-859",
+    "NET-859-A01",
+    "NET-859-A02",
+    "NET-859-A03",
+    "NET-859-A04",
+    "NET-860-A01",
+    "NET-867-A07",
+    "NET-879-A03",
+    "NET-903-A09",
+    "NET-931-A02",
+    "NET-938-A06",
+    "NET-965-A03",
+    "SEC-1013-A03",
+    "SEC-1013-A05",
+    "SEC-1013-A07",
+    "SEC-1153-A03",
+    "SEC-1153-A23",
+    "SEC-1153-A29",
+    "SEC-1153-A47",
+    "SEC-1153-A79",
+    "SEC-1223",
+    "SEC-2698-A01",
+    "SEC-2788-A02",
+    "SEC-2788-A08",
+    "SEC-2809-A01",
+    "SEC-2818-A01",
+    "SEC-2818-A02",
+    "SEC-2899",
+    "SEC-2899-A02",
+    "SEC-2927-A04",
+    "SEC-3159-A05",
+    "SEC-3217-A03",
+    "SEC-3383-A02",
+    "SEC-3383-A07",
+    "SEC-3431-A05",
+    "SEC-3633-A11",
+    "SEC-3709-A10",
+    "SEC-4292",
+    "SEC-4292-A01",
+    "SEC-4292-A02",
+    "SEC-4292-A10",
+    "SEC-4513",
+    "SEC-4513-A02",
+    "SEC-4561-A01",
+    "SEC-4561-A03",
+    "SEC-4733-A02",
+    "SEC-5615",
+    "SEC-5792-A02",
+    "SEC-5811-A01",
+    "SEC-5811-A02",
+    "SEC-6170-A02",
+    "SEC-6296",
+    "SEC-6382-A03",
+    "SEC-6784-A05",
+    "SEC-6846-A05",
+    "SEC-6925-A09",
+    "SEC-7343-A03",
+    "SEC-7963-A02",
+    "SEC-8016",
+    "SEC-8041-A07",
+    "SEC-9014-A16",
+    "SEC-9175"
+   ],
+   "member_count": 362,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M21",
+    "cluster_size": 39,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "merged_from": [
+    "npe_device_authentication"
+   ]
+  },
+  {
+   "id": "auth_key_management",
+   "name": "Verwaltung von Authentifizierungsschluesseln",
+   "description": "Symmetrische und asymmetrische Authentifizierungsschluessel sind sicher zu erzeugen, zu speichern (HSM/zertifizierte Module) und zu verwalten.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "conditional:crypto_auth",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "BSI",
+     "anchor": "TR-02102",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M74",
+    "M84",
+    "M66",
+    "M143",
+    "M60",
+    "M164"
+   ],
+   "member_controls": [
+    "AUTH-1650",
+    "AUTH-1653-A06",
+    "AUTH-1667-A01",
+    "AUTH-1675",
+    "AUTH-1675-A02",
+    "AUTH-1681",
+    "AUTH-1681-A01",
+    "AUTH-1688-A05",
+    "AUTH-1692-A05",
+    "AUTH-1709-A07",
+    "AUTH-1751",
+    "AUTH-1751-A01",
+    "AUTH-1751-A02",
+    "AUTH-1819-A01",
+    "AUTH-1828",
+    "AUTH-1828-A01",
+    "AUTH-1845-A04",
+    "AUTH-1860-A04",
+    "AUTH-1861",
+    "AUTH-1861-A01",
+    "AUTH-1862",
+    "AUTH-1862-A01",
+    "AUTH-1865",
+    "AUTH-1865-A01",
+    "AUTH-1865-A08",
+    "AUTH-1910",
+    "AUTH-1948",
+    "AUTH-1949",
+    "AUTH-1949-A07",
+    "AUTH-1949-A09",
+    "AUTH-625",
+    "AUTH-625-A01",
+    "COMP-1960",
+    "COMP-1960-A02",
+    "COMP-1960-A03",
+    "CRYP-1044-A01",
+    "CRYP-1089-A01",
+    "CRYP-1124-A04",
+    "CRYP-1158-A06",
+    "CRYP-1162-A04",
+    "CRYP-1201-A01",
+    "CRYP-1217-A02",
+    "CRYP-1433-A03",
+    "CRYP-1439",
+    "CRYP-1439-A01",
+    "CRYP-1439-A08",
+    "CRYP-1458-A06",
+    "CRYP-1458-A09",
+    "CRYP-1473",
+    "CRYP-1535",
+    "CRYP-1535-A04",
+    "CRYP-1535-A05",
+    "CRYP-1535-A11",
+    "CRYP-1872-A02",
+    "CRYP-780-A02",
+    "CRYP-952-A01",
+    "CRYP-973",
+    "SEC-3683-A04",
+    "SEC-3735-A02"
+   ],
+   "member_count": 59,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M74",
+    "cluster_size": 18,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "biometric_authentication",
+   "name": "Biometrische Authentifizierung",
+   "description": "Biometrische Authentifizierung ist mit definierten Fehlerquoten, Deaktivierbarkeit und sicherer Verarbeitung umzusetzen.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "biometrics",
+   "applicability": "conditional:biometric",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B 5.2.3",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M101",
+    "M51",
+    "M38",
+    "M115",
+    "M100",
+    "M30"
+   ],
+   "member_controls": [
+    "AUTH-1049-A35",
+    "AUTH-1049-A50",
+    "AUTH-1303-A05",
+    "AUTH-1624",
+    "AUTH-1637",
+    "AUTH-1637-A01",
+    "AUTH-1725",
+    "AUTH-1790-A04",
+    "AUTH-1901-A05",
+    "AUTH-2452-A07",
+    "AUTH-2464",
+    "AUTH-2689-A04",
+    "AUTH-2873-A04",
+    "AUTH-2883-A03",
+    "AUTH-2883-A05",
+    "AUTH-2894-A07",
+    "AUTH-2898-A02",
+    "AUTH-2945-A11",
+    "AUTH-3161",
+    "AUTH-3166-A07",
+    "AUTH-3595-A02",
+    "AUTH-3652-A11",
+    "AUTH-3677-A04",
+    "AUTH-3921",
+    "AUTH-3947",
+    "AUTH-4006-A14",
+    "AUTH-4135-A01",
+    "AUTH-577-A04",
+    "AUTH-637-A31",
+    "AUTH-661-A09",
+    "AUTH-661-A22",
+    "AUTH-827-A04",
+    "AUTH-827-A13",
+    "AUTH-895-A07",
+    "AUTH-895-A17",
+    "AUTH-895-A27",
+    "CRYP-1064-A10",
+    "CRYP-1684-A07",
+    "CRYP-1927-A13",
+    "DATA-1810-A02",
+    "DATA-4666-A04",
+    "SEC-019-A02",
+    "SEC-019-A14",
+    "SEC-019-A29",
+    "SEC-3383",
+    "SEC-3383-A01",
+    "SEC-4028-A04",
+    "SEC-6846-A05",
+    "SEC-7793-A09",
+    "SEC-8996-A06"
+   ],
+   "member_count": 50,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.82,
+    "source_meta_cluster": "M101",
+    "cluster_size": 7,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "federated_auth_assertions",
+   "name": "Foederierte Authentifizierung und Assertions",
+   "description": "Bei foederierter Authentifizierung (SAML/OIDC) sind Assertions einmalig zu verwenden, IdP-Namespaces zu trennen und FAL-Anforderungen einzuhalten.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "token",
+   "applicability": "conditional:federation",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63C",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M23",
+    "M49",
+    "M124",
+    "M125",
+    "M127",
+    "M129",
+    "M28"
+   ],
+   "member_controls": [
+    "AUT-002",
+    "AUTH-088-A06",
+    "AUTH-1005-A01",
+    "AUTH-1052-A13",
+    "AUTH-1052-A22",
+    "AUTH-1052-A36",
+    "AUTH-1059",
+    "AUTH-1312-A01",
+    "AUTH-1468-A09",
+    "AUTH-1574-A02",
+    "AUTH-1658",
+    "AUTH-1658-A01",
+    "AUTH-1658-A06",
+    "AUTH-1658-A07",
+    "AUTH-1663-A06",
+    "AUTH-1785-A07",
+    "AUTH-1859-A01",
+    "AUTH-2417-A02",
+    "AUTH-2573-A02",
+    "AUTH-2793-A04",
+    "AUTH-3286-A07",
+    "AUTH-3545-A01",
+    "AUTH-3634",
+    "AUTH-3642-A04",
+    "AUTH-3981-A06",
+    "AUTH-4000-A01",
+    "AUTH-515",
+    "AUTH-515-A02",
+    "AUTH-515-A03",
+    "AUTH-515-A04",
+    "AUTH-515-A07",
+    "AUTH-524-A02",
+    "AUTH-524-A06",
+    "AUTH-524-A09",
+    "AUTH-586-A01",
+    "AUTH-700-A01",
+    "AUTH-742-A08",
+    "AUTH-756-A03",
+    "AUTH-756-A04",
+    "AUTH-762",
+    "AUTH-762-A01",
+    "AUTH-762-A06",
+    "AUTH-816",
+    "AUTH-820",
+    "AUTH-820-A01",
+    "AUTH-825-A01",
+    "AUTH-838",
+    "AUTH-838-A04",
+    "AUTH-838-A06",
+    "AUTH-838-A08",
+    "AUTH-838-A24",
+    "AUTH-838-A34",
+    "AUTH-849-A14",
+    "AUTH-849-A15",
+    "AUTH-849-A21",
+    "AUTH-849-A22",
+    "AUTH-849-A38",
+    "AUTH-849-A39",
+    "AUTH-849-A53",
+    "AUTH-849-A54",
+    "AUTH-849-A68",
+    "AUTH-855-A04",
+    "AUTH-855-A19",
+    "AUTH-855-A34",
+    "AUTH-855-A50",
+    "AUTH-855-A64",
+    "AUTH-898",
+    "AUTH-898-A09",
+    "AUTH-898-A17",
+    "AUTH-906-A04",
+    "AUTH-906-A09",
+    "AUTH-906-A14",
+    "AUTH-906-A18",
+    "AUTH-906-A24",
+    "AUTH-941-A03",
+    "AUTH-941-A09",
+    "AUTH-941-A16",
+    "AUTH-961-A15",
+    "BND-001-A02",
+    "BND-001-A07",
+    "CRYP-1172-A02",
+    "CRYP-1257",
+    "CRYP-1389-A07",
+    "CRYP-436",
+    "CRYP-873-A07",
+    "IDF-004",
+    "IDF-004-A01",
+    "IDF-006",
+    "INC-978-A11",
+    "LOG-712-A04",
+    "NET-1683-A02",
+    "SEC-1153-A03",
+    "SEC-1153-A23",
+    "SEC-1153-A29",
+    "SEC-1153-A47",
+    "SEC-1153-A79",
+    "SEC-2809-A03",
+    "SEC-8104",
+    "SEC-8104-A04",
+    "SEC-8244-A10"
+   ],
+   "member_count": 100,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M49",
+    "cluster_size": 3,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "separate_authn_authz",
+   "name": "Trennung von Authentifizierung und Autorisierung",
+   "description": "Authentifizierungsschritt ist von Autorisierung/Anwendung zu trennen; minimal notwendige Daten verwenden.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": false
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "AC-03",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M37",
+    "M129",
+    "M130",
+    "M40"
+   ],
+   "member_controls": [
+    "AUTH-1300-A02",
+    "AUTH-1437-A02",
+    "AUTH-1437-A03",
+    "AUTH-1441-A07",
+    "AUTH-1441-A08",
+    "AUTH-1468-A02",
+    "AUTH-148-A11",
+    "AUTH-1678-A07",
+    "AUTH-1747",
+    "AUTH-1753-A05",
+    "AUTH-1817",
+    "AUTH-1835-A08",
+    "AUTH-1839-A05",
+    "AUTH-1843-A07",
+    "AUTH-1843-A09",
+    "AUTH-1913",
+    "AUTH-1947-A07",
+    "AUTH-1959-A04",
+    "AUTH-1959-A06",
+    "AUTH-1959-A08",
+    "AUTH-2419-A06",
+    "AUTH-2425",
+    "AUTH-2466-A08",
+    "AUTH-2553-A12",
+    "AUTH-2906-A01",
+    "AUTH-2906-A08",
+    "AUTH-2933-A04",
+    "AUTH-2935",
+    "AUTH-2935-A08",
+    "AUTH-2937-A05",
+    "AUTH-2943-A08",
+    "AUTH-2987-A06",
+    "AUTH-2996-A05",
+    "AUTH-3255",
+    "AUTH-3430-A02",
+    "AUTH-3652",
+    "AUTH-3652-A01",
+    "AUTH-3652-A02",
+    "AUTH-3652-A03",
+    "AUTH-3652-A04",
+    "AUTH-3652-A09",
+    "AUTH-3908-A04",
+    "AUTH-4007-A06",
+    "AUTH-4031-A07",
+    "AUTH-4043",
+    "AUTH-4043-A06",
+    "AUTH-4135-A03",
+    "AUTH-577-A06",
+    "AUTH-592-A04",
+    "AUTH-710-A02",
+    "AUTH-745-A05",
+    "AUTH-748",
+    "AUTH-748-A02",
+    "AUTH-784-A04",
+    "AUTH-784-A05",
+    "AUTH-784-A06",
+    "AUTH-789",
+    "AUTH-789-A01",
+    "AUTH-906-A04",
+    "AUTH-906-A09",
+    "AUTH-906-A14",
+    "AUTH-906-A18",
+    "AUTH-906-A24",
+    "AUTH-925-A02",
+    "AUTH-925-A09",
+    "AUTH-925-A17",
+    "AUTH-933",
+    "AUTH-941-A03",
+    "AUTH-941-A09",
+    "AUTH-941-A16",
+    "AUTH-942",
+    "COMP-1735-A09",
+    "COMP-3983-A12",
+    "CRYP-1255",
+    "CRYP-1271",
+    "CRYP-1702-A03",
+    "CRYP-191-A02",
+    "CRYP-224-A08",
+    "CRYP-873",
+    "DATA-2663-A04",
+    "NET-1014-A04",
+    "NET-1291-A16",
+    "NET-1471-A01",
+    "SEC-1085",
+    "SEC-2853-A04",
+    "SEC-5792-A04",
+    "SEC-6107-A02",
+    "SEC-8104"
+   ],
+   "member_count": 88,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.75,
+    "source_meta_cluster": "M129",
+    "cluster_size": 9,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "remote_access_authentication",
+   "name": "Starke Authentifizierung fuer Remote-/Wartungszugriffe",
+   "description": "Remote-, WLAN- und Wartungszugriffe muessen ueber Authentifizierungs-Gateways mit starker Authentifizierung abgesichert werden.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "conditional:remote_access",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "AC-17",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M1",
+    "M13",
+    "M96",
+    "M144",
+    "M46"
+   ],
+   "member_controls": [
+    "ACC-001-A14",
+    "ACC-001-A17",
+    "ACC-001-A29",
+    "ACC-0410-A03",
+    "ACC-082-A08",
+    "ACC-082-A09",
+    "ACC-082-A17",
+    "ACC-082-A18",
+    "ACC-320-A16",
+    "ACC-320-A18",
+    "ACC-320-A24",
+    "ACC-320-A34",
+    "ACC-320-A40",
+    "ACC-320-A48",
+    "ACC-478-A08",
+    "ACC-499-A07",
+    "ACC-508-A06",
+    "ACC-559-A04",
+    "ACC-578-A07",
+    "ACC-584-A05",
+    "ACC-607",
+    "AI-052-A28",
+    "AI-052-A29",
+    "AI-797-A09",
+    "AI-797-A18",
+    "AI-797-A36",
+    "AI-797-A45",
+    "AI-924-A13",
+    "AI-924-A14",
+    "AUTH-008-A25",
+    "AUTH-047-A02",
+    "AUTH-1049-A56",
+    "AUTH-1050-A13",
+    "AUTH-1061-A75",
+    "AUTH-1084",
+    "AUTH-1093-A03",
+    "AUTH-1095-A02",
+    "AUTH-1096",
+    "AUTH-1096-A01",
+    "AUTH-1102-A14",
+    "AUTH-112-A04",
+    "AUTH-112-A17",
+    "AUTH-1135-A03",
+    "AUTH-1135-A04",
+    "AUTH-1168-A02",
+    "AUTH-1168-A03",
+    "AUTH-1288",
+    "AUTH-1299-A05",
+    "AUTH-1300-A05",
+    "AUTH-1313-A04",
+    "AUTH-1314-A03",
+    "AUTH-1445-A02",
+    "AUTH-1463-A04",
+    "AUTH-1463-A09",
+    "AUTH-1466-A09",
+    "AUTH-1468-A01",
+    "AUTH-1468-A06",
+    "AUTH-1522-A04",
+    "AUTH-1522-A05",
+    "AUTH-1524-A04",
+    "AUTH-1529-A04",
+    "AUTH-1634-A04",
+    "AUTH-1640-A01",
+    "AUTH-1645",
+    "AUTH-1645-A02",
+    "AUTH-1669-A05",
+    "AUTH-1669-A06",
+    "AUTH-1679",
+    "AUTH-1679-A02",
+    "AUTH-1711-A06",
+    "AUTH-1742-A01",
+    "AUTH-1742-A07",
+    "AUTH-1748-A04",
+    "AUTH-1748-A06",
+    "AUTH-1759-A05",
+    "AUTH-1790",
+    "AUTH-1806",
+    "AUTH-1818-A11",
+    "AUTH-1860-A05",
+    "AUTH-1860-A08",
+    "AUTH-1860-A09",
+    "AUTH-1862-A09",
+    "AUTH-1865-A12",
+    "AUTH-187-A11",
+    "AUTH-1910-A05",
+    "AUTH-1912-A07",
+    "AUTH-1940-A04",
+    "AUTH-2121-A04",
+    "AUTH-2315-A04",
+    "AUTH-2338-A04",
+    "AUTH-2338-A09",
+    "AUTH-2399-A07",
+    "AUTH-2405-A06",
+    "AUTH-2411",
+    "AUTH-2413",
+    "AUTH-2413-A01",
+    "AUTH-2421-A03",
+    "AUTH-2444-A08",
+    "AUTH-2553",
+    "AUTH-2553-A02",
+    "AUTH-2660-A02",
+    "AUTH-2793",
+    "AUTH-2793-A02",
+    "AUTH-2805-A06",
+    "AUTH-2805-A11",
+    "AUTH-2850",
+    "AUTH-2851-A10",
+    "AUTH-2875-A01",
+    "AUTH-2879",
+    "AUTH-2879-A02",
+    "AUTH-2943-A01",
+    "AUTH-2974-A04",
+    "AUTH-2979-A07",
+    "AUTH-3004",
+    "AUTH-3007-A03",
+    "AUTH-3011-A06",
+    "AUTH-3016",
+    "AUTH-3045-A04",
+    "AUTH-3068-A06",
+    "AUTH-3082-A10",
+    "AUTH-3266-A07",
+    "AUTH-3399-A06",
+    "AUTH-3460-A04",
+    "AUTH-3461-A03",
+    "AUTH-3461-A05",
+    "AUTH-3486-A05",
+    "AUTH-3486-A10",
+    "AUTH-3541-A06",
+    "AUTH-3542-A06",
+    "AUTH-3545",
+    "AUTH-3554-A02",
+    "AUTH-3595",
+    "AUTH-3595-A06",
+    "AUTH-3595-A08",
+    "AUTH-3596",
+    "AUTH-3596-A04",
+    "AUTH-3597-A06",
+    "AUTH-3599-A04",
+    "AUTH-3638",
+    "AUTH-3643-A06",
+    "AUTH-3647",
+    "AUTH-3751-A08",
+    "AUTH-3948-A04",
+    "AUTH-3958-A02",
+    "AUTH-3963-A03",
+    "AUTH-3964-A07",
+    "AUTH-3993",
+    "AUTH-3993-A02",
+    "AUTH-4027-A02",
+    "AUTH-4028-A05",
+    "AUTH-4030-A03",
+    "AUTH-4031-A08",
+    "AUTH-4032-A02",
+    "AUTH-4036-A04",
+    "AUTH-4085",
+    "AUTH-4085-A01",
+    "AUTH-4095-A17",
+    "AUTH-494-A02",
+    "AUTH-505",
+    "AUTH-505-A02",
+    "AUTH-505-A06",
+    "AUTH-532-A02",
+    "AUTH-550",
+    "AUTH-550-A01",
+    "AUTH-550-A06",
+    "AUTH-559-A04",
+    "AUTH-559-A13",
+    "AUTH-584-A06",
+    "AUTH-586",
+    "AUTH-586-A03",
+    "AUTH-586-A04",
+    "AUTH-615-A06",
+    "AUTH-623-A07",
+    "AUTH-623-A08",
+    "AUTH-710-A06",
+    "AUTH-732-A01",
+    "AUTH-743-A04",
+    "AUTH-743-A10",
+    "AUTH-751-A05",
+    "AUTH-751-A06",
+    "AUTH-751-A07",
+    "AUTH-751-A08",
+    "AUTH-762-A11",
+    "AUTH-774-A01",
+    "AUTH-782-A06",
+    "AUTH-784-A08",
+    "AUTH-784-A09",
+    "AUTH-795-A02",
+    "AUTH-804-A05",
+    "AUTH-822-A06",
+    "AUTH-822-A08",
+    "AUTH-824-A15",
+    "AUTH-836",
+    "AUTH-836-A01",
+    "AUTH-836-A02",
+    "AUTH-836-A06",
+    "AUTH-836-A08",
+    "AUTH-836-A09",
+    "AUTH-836-A12",
+    "AUTH-836-A17",
+    "AUTH-836-A18",
+    "AUTH-837-A07",
+    "AUTH-845-A06",
+    "AUTH-845-A07",
+    "AUTH-845-A18",
+    "AUTH-845-A19",
+    "AUTH-845-A29",
+    "AUTH-845-A38",
+    "AUTH-845-A39",
+    "AUTH-845-A50",
+    "AUTH-845-A54",
+    "AUTH-845-A55",
+    "AUTH-846-A09",
+    "AUTH-846-A19",
+    "AUTH-846-A29",
+    "AUTH-846-A38",
+    "AUTH-846-A48",
+    "AUTH-849-A03",
+    "AUTH-849-A12",
+    "AUTH-849-A19",
+    "AUTH-849-A26",
+    "AUTH-849-A27",
+    "AUTH-849-A31",
+    "AUTH-849-A32",
+    "AUTH-849-A36",
+    "AUTH-849-A43",
+    "AUTH-849-A44",
+    "AUTH-849-A46",
+    "AUTH-849-A47",
+    "AUTH-849-A51",
+    "AUTH-849-A58",
+    "AUTH-849-A59",
+    "AUTH-850-A19",
+    "AUTH-850-A29",
+    "AUTH-850-A38",
+    "AUTH-850-A46",
+    "AUTH-925-A05",
+    "AUTH-925-A06",
+    "AUTH-925-A12",
+    "AUTH-986-A08",
+    "AUTH-986-A09",
+    "AUTH-995-A05",
+    "AUTH-995-A85",
+    "AUTH-996-A04",
+    "AUTH-996-A17",
+    "COMP-1055",
+    "COMP-1264-A04",
+    "COMP-1904-A06",
+    "COMP-1904-A07",
+    "COMP-1948",
+    "COMP-1948-A02",
+    "COMP-2129-A04",
+    "CRYP-1013-A01",
+    "CRYP-1141-A09",
+    "CRYP-1210-A09",
+    "CRYP-1299-A09",
+    "CRYP-1372-A05",
+    "CRYP-1421-A07",
+    "CRYP-1433-A07",
+    "CRYP-1725-A02",
+    "CRYP-1750-A09",
+    "CRYP-1755-A04",
+    "CRYP-1864-A05",
+    "CRYP-191",
+    "CRYP-193-A03",
+    "CRYP-1993-A03",
+    "CRYP-2142-A06",
+    "CRYP-2148-A06",
+    "CRYP-2179-A09",
+    "CRYP-2334",
+    "CRYP-289",
+    "CRYP-303",
+    "CRYP-447-A20",
+    "CRYP-637-A10",
+    "CRYP-671-A01",
+    "CRYP-671-A02",
+    "CRYP-713-A07",
+    "CRYP-738-A06",
+    "CRYP-790",
+    "CRYP-876-A07",
+    "CRYP-877-A06",
+    "CRYP-900-A04",
+    "CRYP-914-A06",
+    "DATA-2493-A12",
+    "DATA-2510-A07",
+    "DATA-3376-A06",
+    "DATA-4225-A04",
+    "DATA-4317-A05",
+    "DATA-598-A05",
+    "DATA-598-A06",
+    "GOV-180-A06",
+    "GOV-180-A12",
+    "GOV-2076-A13",
+    "GOV-3110-A02",
+    "LOG-107-A02",
+    "LOG-1861-A06",
+    "NET-1233-A07",
+    "NET-1293-A02",
+    "NET-334-A04",
+    "NET-334-A10",
+    "NET-806-A02",
+    "NET-857-A06",
+    "NET-857-A12",
+    "NET-860-A09",
+    "NET-879-A03",
+    "NET-901-A04",
+    "NET-920-A02",
+    "NET-965",
+    "SEC-052-A06",
+    "SEC-093-A05",
+    "SEC-093-A06",
+    "SEC-2643-A15",
+    "SEC-2738-A06",
+    "SEC-2809",
+    "SEC-2809-A02",
+    "SEC-2809-A05",
+    "SEC-2809-A09",
+    "SEC-2841-A03",
+    "SEC-2853-A01",
+    "SEC-3383-A03",
+    "SEC-3406",
+    "SEC-3740-A03",
+    "SEC-3842-A02",
+    "SEC-3965-A02",
+    "SEC-4028-A03",
+    "SEC-4076-A02",
+    "SEC-4292-A12",
+    "SEC-4295",
+    "SEC-4295-A04",
+    "SEC-4509",
+    "SEC-4513-A07",
+    "SEC-4560-A03",
+    "SEC-5435-A03",
+    "SEC-5505-A05",
+    "SEC-5767-A01",
+    "SEC-6784-A08",
+    "SEC-6804-A01",
+    "SEC-6804-A02",
+    "SEC-6833-A07",
+    "SEC-7963-A03",
+    "SEC-7963-A04",
+    "SEC-7984-A07",
+    "SEC-8334-A06"
+   ],
+   "member_count": 343,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.8,
+    "source_meta_cluster": "M13",
+    "cluster_size": 65,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "supplier_access_auth",
+   "name": "Starke Authentifizierung fuer Lieferanten-/Vendor-Zugriffe",
+   "description": "Externe Lieferanten- und Vendor-Zugriffe erfordern starke (Multi-Faktor-)Authentifizierung.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "mfa",
+   "applicability": "conditional:third_party_access",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "ISO",
+     "anchor": "ISO 27001 A.5.19",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M94",
+    "M29"
+   ],
+   "member_controls": [
+    "AUTH-088-A07",
+    "AUTH-1011-A11",
+    "AUTH-1011-A13",
+    "AUTH-2473-A01",
+    "AUTH-2473-A02",
+    "AUTH-2484-A01",
+    "AUTH-2552-A03",
+    "AUTH-2689-A02",
+    "AUTH-2968",
+    "AUTH-2996",
+    "AUTH-3021-A07",
+    "AUTH-3165-A02",
+    "AUTH-3333-A06",
+    "AUTH-3469-A03",
+    "AUTH-3547",
+    "AUTH-3659-A01",
+    "AUTH-3705-A02",
+    "AUTH-3825-A08",
+    "AUTH-3887-A01",
+    "AUTH-3908-A05",
+    "AUTH-3915",
+    "AUTH-3915-A01",
+    "AUTH-3929-A01",
+    "AUTH-3958-A03",
+    "AUTH-3968-A09",
+    "AUTH-3977-A02",
+    "AUTH-4083-A05",
+    "AUTH-538-A04",
+    "AUTH-648-A02",
+    "AUTH-745-A04",
+    "AUTH-785-A02",
+    "AUTH-803",
+    "AUTH-824-A09",
+    "AUTH-824-A16",
+    "AUTH-845-A02",
+    "AUTH-845-A14",
+    "AUTH-845-A25",
+    "AUTH-845-A28",
+    "AUTH-845-A46",
+    "AUTH-902",
+    "AUTH-903-A21",
+    "AUTH-903-A22",
+    "COMP-3978-A02",
+    "CRYP-1751",
+    "CRYP-1751-A01",
+    "GIA-002",
+    "LOG-1506-A03",
+    "LOG-967-A06",
+    "NET-040-A03",
+    "NET-040-A12",
+    "NET-1166-A05",
+    "NET-1787-A12",
+    "SEC-171-A47",
+    "SEC-2781-A01",
+    "SEC-387-A10",
+    "SEC-387-A24",
+    "SEC-3870",
+    "SEC-418-A15",
+    "SEC-5767",
+    "SEC-5915-A06",
+    "SEC-7686-A05",
+    "SEC-8847-A02"
+   ],
+   "member_count": 62,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.72,
+    "source_meta_cluster": "M94",
+    "cluster_size": 55,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  },
+  {
+   "id": "personal_admin_accounts",
+   "name": "Persoenliche Authentifizierung fuer Administratoren",
+   "description": "Administratoren muessen persoenliche, eindeutige Authentifizierungsmittel verwenden; keine Gruppen-/geteilten Konten ohne Rollentrennung.",
+   "tier": "BEST_PRACTICE",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "conditional:admin_access",
+   "evidence_facets": {
+    "governance": true,
+    "capability": true,
+    "evidence": false
+   },
+   "source_role": "GUIDANCE",
+   "legal_basis": [],
+   "guidance_basis": [
+    {
+     "source": "ISO",
+     "anchor": "ISO 27001 A.8.2",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-04",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M35",
+    "M53"
+   ],
+   "member_controls": [
+    "AUTH-1283-A03",
+    "AUTH-1295-A02",
+    "AUTH-1313-A02",
+    "AUTH-1524-A03",
+    "AUTH-1627",
+    "AUTH-1631-A01",
+    "AUTH-1634",
+    "AUTH-1634-A01",
+    "AUTH-1646",
+    "AUTH-1661-A10",
+    "AUTH-1669-A01",
+    "AUTH-1693",
+    "AUTH-1693-A01",
+    "AUTH-1721-A01",
+    "AUTH-1734-A02",
+    "AUTH-1811-A08",
+    "AUTH-1858",
+    "AUTH-1915",
+    "AUTH-1915-A01",
+    "AUTH-2317-A02",
+    "AUTH-2375-A05",
+    "AUTH-2416",
+    "AUTH-2416-A05",
+    "AUTH-2416-A08",
+    "AUTH-2423",
+    "AUTH-2423-A04",
+    "AUTH-2430-A01",
+    "AUTH-2793-A01",
+    "AUTH-2850-A03",
+    "AUTH-2850-A04",
+    "AUTH-2875-A02",
+    "AUTH-2921",
+    "AUTH-2945",
+    "AUTH-2956",
+    "AUTH-2975",
+    "AUTH-2995",
+    "AUTH-3016-A14",
+    "AUTH-3017-A07",
+    "AUTH-3018-A05",
+    "AUTH-3255-A02",
+    "AUTH-3258-A02",
+    "AUTH-3305",
+    "AUTH-3425-A03",
+    "AUTH-3430-A01",
+    "AUTH-3550-A02",
+    "AUTH-3597-A01",
+    "AUTH-3751-A04",
+    "AUTH-3865-A07",
+    "AUTH-3948-A02",
+    "AUTH-3955-A07",
+    "AUTH-3958-A01",
+    "AUTH-3958-A06",
+    "AUTH-3987",
+    "AUTH-3987-A02",
+    "AUTH-4050",
+    "AUTH-4121-A02",
+    "AUTH-670",
+    "AUTH-718",
+    "AUTH-818-A08",
+    "AUTH-818-A14",
+    "AUTH-850",
+    "AUTH-919",
+    "AUTH-987",
+    "AUTH-987-A01",
+    "AUTH-987-A23",
+    "AUTH-987-A24",
+    "COMP-1264",
+    "COMP-1745-A03",
+    "COMP-1886-A08",
+    "COMP-262-A01",
+    "COMP-2876-A05",
+    "COMP-3983",
+    "COMP-3983-A13",
+    "CRYP-1134-A05",
+    "CRYP-1159-A02",
+    "CRYP-1712-A01",
+    "CRYP-1732-A01",
+    "CRYP-1942-A10",
+    "CRYP-2101-A02",
+    "CRYP-2173-A01",
+    "CRYP-2363-A05",
+    "CRYP-880-A04",
+    "DATA-4027-A02",
+    "NET-004-A05",
+    "NET-004-A09",
+    "NET-004-A19",
+    "NET-104-A02",
+    "NET-104-A10",
+    "NET-1293-A07",
+    "NET-1309-A01",
+    "NET-1343-A05",
+    "NET-149-A01",
+    "NET-149-A11",
+    "NET-1856-A05",
+    "SEC-171-A16",
+    "SEC-171-A34",
+    "SEC-2035-A04",
+    "SEC-2153-A03",
+    "SEC-2809-A04",
+    "SEC-3223",
+    "SEC-3643-A08",
+    "SEC-3728-A08",
+    "SEC-4561-A04",
+    "SEC-5610-A02",
+    "SEC-5780",
+    "SEC-8325"
+   ],
+   "member_count": 106,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.74,
+    "source_meta_cluster": "M35",
+    "cluster_size": 99,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   },
+   "merged_from": [
+    "distinct_credentials_per_role"
+   ]
+  },
+  {
+   "id": "firmware_software_authentication",
+   "name": "Authentifizierung von Software-/Firmware-Komponenten",
+   "description": "Software- und Firmware-Komponenten sowie Updates sind kryptografisch zu authentisieren und zu signieren.",
+   "tier": "LEGAL_MINIMUM",
+   "family": "authentication",
+   "subdomain": "credential",
+   "applicability": "universal",
+   "evidence_facets": {
+    "governance": false,
+    "capability": true,
+    "evidence": true
+   },
+   "source_role": "LEGAL_BASIS",
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "regulation_code": "eu_2024_2847",
+     "anchor": "Annex I (2)(c)",
+     "citation": "ensure that vulnerabilities can be addressed through security updates... ensuring integrity"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SI-07",
+     "role": "best_practice"
+    }
+   ],
+   "member_review_units": [
+    "M79",
+    "M44",
+    "M118",
+    "M168",
+    "M167"
+   ],
+   "member_controls": [
+    "AUTH-1480",
+    "AUTH-1480-A01",
+    "AUTH-1677-A02",
+    "AUTH-1677-A08",
+    "AUTH-1746",
+    "AUTH-1746-A01",
+    "AUTH-1825",
+    "AUTH-2371-A05",
+    "AUTH-2416-A07",
+    "AUTH-2438",
+    "AUTH-2817-A01",
+    "AUTH-3068",
+    "AUTH-3068-A01",
+    "AUTH-3068-A03",
+    "AUTH-3068-A05",
+    "AUTH-3073-A01",
+    "AUTH-3554-A01",
+    "AUTH-3554-A05",
+    "AUTH-3712",
+    "AUTH-4048",
+    "AUTH-4053",
+    "AUTH-4130-A03",
+    "CRYP-1089-A02",
+    "CRYP-1214-A04",
+    "CRYP-1751-A10",
+    "CRYP-1751-A11",
+    "DATA-1240-A08",
+    "DATA-2572",
+    "DATA-3649-A14",
+    "INC-946-A11",
+    "NET-981-A10",
+    "SEC-1085-A09",
+    "SEC-3991",
+    "SEC-5595",
+    "SEC-6377",
+    "SEC-6784-A01",
+    "SEC-6784-A02"
+   ],
+   "member_count": 37,
+   "relationships": [],
+   "citation_anchor_ids": [],
+   "citation_status": "pending_span_anchor",
+   "review_status": "draft",
+   "provenance": {
+    "discovery_confidence": 0.78,
+    "source_meta_cluster": "M79",
+    "cluster_size": 4,
+    "llm_model": "claude-opus-4-8",
+    "synthesis_version": "v1"
+   }
+  }
+ ],
+ "relationships": [
+  {
+   "type": "depends_on",
+   "from": "mfa_privileged_access",
+   "to": "mfa_required",
+   "note": "MFA fuer Privilegierte konkretisiert allgemeine MFA-Pflicht"
+  },
+  {
+   "type": "depends_on",
+   "from": "step_up_authentication",
+   "to": "user_authentication_required",
+   "note": "Step-up setzt etablierte Basisauthentifizierung voraus"
+  },
+  {
+   "type": "depends_on",
+   "from": "password_policy",
+   "to": "user_authentication_required",
+   "note": "Passwortregeln gelten innerhalb der Authentifizierungspflicht"
+  },
+  {
+   "type": "supports",
+   "from": "credential_confidentiality_protection",
+   "to": "credential_storage_hashing",
+   "note": "sichere Speicherung dient Vertraulichkeit"
+  },
+  {
+   "type": "supports",
+   "from": "account_lockout_failed_attempts",
+   "to": "user_authentication_required",
+   "note": "Lockout schuetzt Authentifizierung gegen Brute-Force"
+  },
+  {
+   "type": "produces_evidence_for",
+   "from": "auth_failure_logging",
+   "to": "user_authentication_required",
+   "note": "Protokolle belegen Authentifizierungsdurchsetzung"
+  },
+  {
+   "type": "produces_evidence_for",
+   "from": "auth_testing",
+   "to": "user_authentication_required",
+   "note": "Testnachweise belegen Wirksamkeit"
+  },
+  {
+   "type": "produces_evidence_for",
+   "from": "auth_inventory",
+   "to": "auth_suitability_assessment",
+   "note": "Inventar ist Grundlage der Eignungsbewertung"
+  },
+  {
+   "type": "supports",
+   "from": "auth_anomaly_detection",
+   "to": "user_authentication_required",
+   "note": "Anomalieerkennung staerkt Authentifizierungssicherheit"
+  },
+  {
+   "type": "implements",
+   "from": "mutual_authentication",
+   "to": "encrypted_auth_channel",
+   "note": "mTLS realisiert verschluesselten gegenseitig authentisierten Kanal"
+  },
+  {
+   "type": "implements",
+   "from": "tls_certificate_auth",
+   "to": "mutual_authentication",
+   "note": "Zertifikatsauth implementiert gegenseitige Authentifizierung"
+  },
+  {
+   "type": "supports",
+   "from": "replay_protection_nonce",
+   "to": "mutual_authentication",
+   "note": "Nonces verhindern Replay in Auth-Protokollen"
+  },
+  {
+   "type": "derived_from",
+   "from": "pki_pace_chip_authentication",
+   "to": "strong_crypto_authentication",
+   "note": "PACE/Chip-Auth ist konkrete Umsetzung kryptographischer Authentifizierung"
+  },
+  {
+   "type": "supports",
+   "from": "auth_key_management",
+   "to": "strong_crypto_authentication",
+   "note": "Schluesselverwaltung untermauert kryptographische Authentifizierung"
+  },
+  {
+   "type": "depends_on",
+   "from": "risk_based_authentication",
+   "to": "auth_risk_assessment",
+   "note": "AAL-Wahl basiert auf Risikobewertung"
+  },
+  {
+   "type": "depends_on",
+   "from": "reauth_after_inactivity",
+   "to": "session_binding_management",
+   "note": "Reauth ist Teil des Session-Managements"
+  },
+  {
+   "type": "out_of_scope",
+   "obligation": "pki_pace_chip_authentication",
+   "review_units": [
+    "M54",
+    "M58",
+    "M61",
+    "M65",
+    "M77",
+    "M137",
+    "M142",
+    "M148",
+    "M166",
+    "M153",
+    "M85",
+    "M86",
+    "M76",
+    "M81",
+    "M133",
+    "M55",
+    "M75",
+    "M78",
+    "M89",
+    "M91",
+    "M56",
+    "M63",
+    "M69",
+    "M80",
+    "M82",
+    "M88",
+    "M22",
+    "M16",
+    "M59",
+    "M60",
+    "M64",
+    "M66",
+    "M70",
+    "M71",
+    "M67",
+    "M68",
+    "M73",
+    "M74",
+    "M83",
+    "M84",
+    "M117",
+    "M143"
+   ],
+   "note": "domänenfremd (eID/Chip bzw. PSD2-SCA) — nicht CRA-Authentisierung"
+  },
+  {
+   "type": "out_of_scope",
+   "obligation": "strong_customer_authentication",
+   "review_units": [
+    "M92",
+    "M67",
+    "M93",
+    "M11",
+    "M115"
+   ],
+   "note": "domänenfremd (eID/Chip bzw. PSD2-SCA) — nicht CRA-Authentisierung"
+  }
+ ],
+ "curation": {
+  "version": "v1",
+  "method": "human_reasoned_rules",
+  "rules": [
+   "crypto_micro→guidance",
+   "test_evidence→evidence_facet",
+   "mechanism_families_kept",
+   "foreign_domain→out_of_scope"
+  ],
+  "from_obligations": 54,
+  "to_obligations": 29
+ }
+}
\ No newline at end of file